shayanb/token_checklist.md

## token_checklist.md

      
    Raw
  

              token_checklist.md
            
          
Token
Feature
Known Vulnerabilities
Resources
Examples


ERC20
Allowance
Double withdrawal (front-running)
Resolving the Multiple Withdrawal Attack on ERC20 Tokens


decimals()
The decimals can be more than 18

YamV2  has 24 decimals


Not accounting for the tokens that try to prevent multiple withdrawal attack
Perpetual Protocol Audit issue 3.12


Unprotected ‍‍‍‍‍‍‍transferFrom()
Bancor Network Hack 2020 - 1inch


External Calls
Unchecked Call Return Value
Unchecked call return value


DoS with unexpected revert
DoS with unexpected revert


Transfers
Might return False instead of Revert


Missing return value
Missing return value bug — At least 130 tokens affected


BalanceOf()
Internal Accounting discrepancy with the Actual Balance
aToken Withdrawal Vulnerability
aToken


Blacklistable
Blacklisted addresses cannot receive or send tokens
CENTRE appears to have blacklisted an address holding USDC for the first time
USDC (FiatToken)


Mintable / Burnable
TotalSupply can change by trusted actors


Pausable
All functionalities can be paused by trusted actors


Deflationary Tokens
Take fees from transfers
Internal Accounting discrepancy with the Actual Balance
Incident with non-standard ERC20 deflationary tokens
STA, STONK


Inflationary Tokens
AirDrop interest to token holders
Internal Accounting discrepancy with the Actual Balance

Compound


ERC1400
Permissioned Addresses
Can block transfers from/to specific addresses

Polymath tokens


Forced Transfers
Trusted actors have the ability to transfer funds however they choose


ERC777
Callbacks / Hooks
Reentrancy
Uniswap audit, OpenZeppelin Example Uniswap exploit, imBTC Uniswap exploit
pTokens


Receiver mining GasToken


Receiver blocks the transfer
In case of iterative push transfer can block all transfers


ERC1644
Forced Transfers
Controller has the ability to steal funds


ERC621
Control of totalSupply
totalSupply can be changed by trusted actors


ERC884
Cancel and Reissue
Token implementers have the ability to cancel an address and move its tokens to a new address


Whitelisting
Tokens can only be sent to whitelisted addresses
Token	Feature	Known Vulnerabilities	Resources	Examples
ERC20	Allowance	Double withdrawal (front-running)	Resolving the Multiple Withdrawal Attack on ERC20 Tokens
	decimals()	The decimals can be more than 18		YamV2 has 24 decimals
		Not accounting for the tokens that try to prevent multiple withdrawal attack	Perpetual Protocol Audit issue 3.12
		Unprotected ‍‍‍‍‍‍‍transferFrom()	Bancor Network Hack 2020 - 1inch
	External Calls	Unchecked Call Return Value	Unchecked call return value
		DoS with unexpected revert	DoS with unexpected revert
	Transfers	Might return False instead of Revert
		Missing return value	Missing return value bug — At least 130 tokens affected
	BalanceOf()	Internal Accounting discrepancy with the Actual Balance	aToken Withdrawal Vulnerability	aToken
	Blacklistable	Blacklisted addresses cannot receive or send tokens	CENTRE appears to have blacklisted an address holding USDC for the first time	USDC (FiatToken)
	Mintable / Burnable	TotalSupply can change by trusted actors
	Pausable	All functionalities can be paused by trusted actors
Deflationary Tokens	Take fees from transfers	Internal Accounting discrepancy with the Actual Balance	Incident with non-standard ERC20 deflationary tokens	STA, STONK
Inflationary Tokens	AirDrop interest to token holders	Internal Accounting discrepancy with the Actual Balance		Compound
ERC1400	Permissioned Addresses	Can block transfers from/to specific addresses		Polymath tokens
	Forced Transfers	Trusted actors have the ability to transfer funds however they choose
ERC777	Callbacks / Hooks	Reentrancy	Uniswap audit, OpenZeppelin Example Uniswap exploit, imBTC Uniswap exploit	pTokens
		Receiver mining GasToken
		Receiver blocks the transfer	In case of iterative push transfer can block all transfers
ERC1644	Forced Transfers	Controller has the ability to steal funds
ERC621	Control of totalSupply	totalSupply can be changed by trusted actors
ERC884	Cancel and Reissue	Token implementers have the ability to cancel an address and move its tokens to a new address
	Whitelisting	Tokens can only be sent to whitelisted addresses