TokenHook: Secure ERC-20 smart contract

ERC-20 is the most prominent Ethereum standard for fungible tokens. Tokens implementing the ERC-20 interface can interoperate with a large number of already deployed internet-based services and Ethereum-based smart contracts. In recent years, security vulnerabilities in ERC-20 have received special attention due to their widespread use and increased value. We systemize these vulnerabilities and their applicability to ERC-20 tokens, which has not been done before. Next, we use our domain expertise to provide a new implementation of the ERC-20 interface that is freely available in Vyper and Solidity, and has enhanced security properties and stronger compliance with best practices compared to the sole surviving reference implementation (from OpenZeppelin) in the ERC-20 specification. Finally, we use our implementation to study the effectiveness of seven static analysis tools, designed for general smart contracts, for identifying ERC-20 specific vulnerabilities. We find large inconsistencies across the tools and a high number of false positives which shows there is room for further improvement of these tools.

[1]  Buck Woody,et al.  Security Considerations , 2020, SQL Server 2019 Big Data Clusters Crash Course.

[2]  Gernot Salzer,et al.  A Survey of Tools for Analyzing Ethereum Smart Contracts , 2019, 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON).

[3]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[4]  Joshua A. Kroll,et al.  On Decentralizing Prediction Markets and Order Books , 2014 .

[5]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[6]  Stephanie Forrest,et al.  Computer immunology , 1997, CACM.

[7]  Lei Wu,et al.  DEPOSafe: Demystifying the Fake Deposit Vulnerability in Ethereum Smart Contracts , 2020, 2020 25th International Conference on Engineering of Complex Computer Systems (ICECCS).

[8]  Jeremy Clark,et al.  Resolving the Multiple Withdrawal Attack on ERC20 Tokens , 2019, 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[9]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[10]  Benjamin Livshits,et al.  Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited , 2021, USENIX Security Symposium.

[11]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[12]  Shouhuai Xu,et al.  A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses , 2019 .

[13]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[14]  Xiapu Luo,et al.  TokenScope: Automatically Detecting Inconsistent Behaviors of Cryptocurrency Tokens in Ethereum , 2019, CCS.

[15]  Radu State,et al.  Osiris: Hunting for Integer Bugs in Ethereum Smart Contracts , 2018, ACSAC.

[16]  J. Akinsanya The knowledge base. , 1981, Nursing times.

[17]  Jeremy Clark,et al.  SoK: Transparent Dishonesty: Front-Running Attacks on Blockchain , 2019, Financial Cryptography Workshops.

[18]  Aron Laszka,et al.  Vyper: A Security Comparison with Solidity Based on Common Vulnerabilities , 2020, 2020 2nd Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS).

[19]  D Payne Security alert. , 1994, Nursing times.

[20]  M. Stepp,et al.  Tokens , 2018, The Complete Poems of William Barnes, Vol. 2: Poems in the Modified Form of the Dorset Dialect.