ERC-20 is the most prominent Ethereum standard for fungible tokens. Tokens implementing the ERC-20 interface can interoperate with a large number of already deployed internet-based services and Ethereum-based smart contracts. In recent years, security vulnerabilities in ERC-20 have received special attention due to their widespread use and increased value. We systemize these vulnerabilities and their applicability to ERC-20 tokens, which has not been done before. Next, we use our domain expertise to provide a new implementation of the ERC-20 interface that is freely available in Vyper and Solidity, and has enhanced security properties and stronger compliance with best practices compared to the sole surviving reference implementation (from OpenZeppelin) in the ERC-20 specification. Finally, we use our implementation to study the effectiveness of seven static analysis tools, designed for general smart contracts, for identifying ERC-20 specific vulnerabilities. We find large inconsistencies across the tools and a high number of false positives which shows there is room for further improvement of these tools.
翻译:ERC-20是替代物证的最突出的 Eceenum 标准。 实施 ERC-20 接口的 Tokens 能够与大量已经部署的互联网服务和Eceenum 智能合同进行互动。 近年来, ERC-20 中的安全弱点因其广泛使用和价值增加而得到特别关注。 我们将这些弱点及其适用于 ERC-20 标志(以前没有这样做过)系统化。 其次, 我们利用我们的域域内专门知识来提供在Vyper 和 Solidity 中免费提供的 ERRC-20 接口的新实施, 并且加强了安全特性和对最佳做法的遵守, 与 ERC-20 规格中唯一幸存的参考执行( OpenZeppelin ) 相比。 最后, 我们利用我们的实施情况来研究为一般智能合同设计的七种静态分析工具的有效性, 以确定EC-20 具体弱点。 我们发现这些工具之间有很大的不一致之处和大量假阳性, 这表明这些工具有进一步改进的余地。