Polina is an undergraduate student at Belarusian State Economic University (BSEU) where she is studying at the faculty of International Business Communication for a degree specializing in Intercultural Communication. In her spare time she enjoys drawing, music and travelling.
New research by the laboratory’s analysts has revealed there are some serious security vulnerabilities in the Ethereum ERC20 standard’s code.
ArmorsLabs, the world’s leading blockchain security lab, has announced it found major security holes of ERC20, a standard used for Ethereum-based smart contracts.
The lab examined over 10,000 ERC20-based smart contracts and detected security holes in their code, which may lead to attacks on cryptocurrencies. Over 60% of tokens, according to the market statistics, used this vulnerable code in smart contracts.
ERC20 is the first and the most widespread Ethereum token standard. Introduced in 2015, it has become popular among cryto exchanges, digital wallets, developers and crowdfunding startups due to a high level of security and an easy integration with different platforms. With the development of the standard, companies no longer need to develop their own specifications for the issuance of cryptocurrency and develop their standards for the compatibility of tokens with the blockchain.
One of the most serious vulnerabilities found by ArmorsLabs in ERC20 standard is called “iaeden”. Let‘s have a closer look at the loophole:
The ERC20 standard interface:
The Approve and transferFrom was designed for a decentralized exchange. Users can authorize a third party to manage certain amount of cryptocurrency.
When analyzing the official ERC20 demo, the lab detected a vulnerability in the Approve function. Under the description, Party A authorizes Party B to manage its own tokens. If Party A wants to change that, Party B can send the authorized tokens away and can charge the newly authorized tokens again. These repeated transfers by Party A lead to the loss of currency.
Such authorization mechanism is widely used in online exchanges, third-party payments, and quantitative fund management, and this type of vulnerability will bring a security crisis to digital assets worth billions of dollars.
In addition to the “jaeden” loophole, there are other vulnerabilities that have been discovered by ArmorsLabs.
The contract has not blocked nowhere-transfer, what means that if some banker put massive token into this nowhere this system can easily be disarranged.
ArmorsLabs is focused on ecological development of smart contracts and security vulnerability analysis. Armors offers a blockchain immune system using machine learning and AI technology to build multidimensional models for DApp.
The company provides a range of security options for smart contracts, such as crowdsourcing development, vulnerability detection, security consultants from Armors committee, and smart contracts upgrade support. The team members have an extensive experience and worked at such giant companies as Google, Apple, Tencent, Baidu, and 360. In the future, Armors plans to build general-purpose smart contract security specifications and aims to create a blockchain security ecosystem.
ArmorsLabs advises each cryptocurrency exchange and project party to thoroughly review their smart contract codes and work with experienced audit partners in order to prevent irreversible consequences and find the best solution.