Token | Feature | Known Vulnerabilities | Resources | Examples |
---|---|---|---|---|
ERC20 | Allowance | Double withdrawal (front-running) | Resolving the Multiple Withdrawal Attack on ERC20 Tokens | |
decimals() | The decimals can be more than 18 | YamV2 has 24 decimals | ||
Not accounting for the tokens that try to prevent multiple withdrawal attack | Perpetual Protocol Audit issue 3.12 | |||
Unprotected transferFrom() | Bancor Network Hack 2020 - 1inch | |||
External Calls | Unchecked Call Return Value | Unchecked call return value | ||
DoS with unexpected revert | DoS with unexpected revert | |||
Transfers | Might return False instead of Revert | |||
Missing return value | Missing return value bug — At least 130 tokens affected | |||
BalanceOf() | Internal Accounting discrepancy with the Actual Balance | aToken Withdrawal Vulnerability | aToken | |
Blacklistable | Blacklisted addresses cannot receive or send tokens | CENTRE appears to have blacklisted an address holding USDC for the first time | USDC (FiatToken) | |
Mintable / Burnable | TotalSupply can change by trusted actors | |||
Pausable | All functionalities can be paused by trusted actors | |||
Deflationary Tokens | Take fees from transfers | Internal Accounting discrepancy with the Actual Balance | Incident with non-standard ERC20 deflationary tokens | STA, STONK |
Inflationary Tokens | AirDrop interest to token holders | Internal Accounting discrepancy with the Actual Balance | Compound | |
ERC1400 | Permissioned Addresses | Can block transfers from/to specific addresses | Polymath tokens | |
Forced Transfers | Trusted actors have the ability to transfer funds however they choose | |||
ERC777 | Callbacks / Hooks | Reentrancy | Uniswap audit, OpenZeppelin Example Uniswap exploit, imBTC Uniswap exploit | pTokens |
Receiver mining GasToken | ||||
Receiver blocks the transfer | In case of iterative push transfer can block all transfers | |||
ERC1644 | Forced Transfers | Controller has the ability to steal funds | ||
ERC621 | Control of totalSupply | totalSupply can be changed by trusted actors | ||
ERC884 | Cancel and Reissue | Token implementers have the ability to cancel an address and move its tokens to a new address | ||
Whitelisting | Tokens can only be sent to whitelisted addresses |
Last active
September 2, 2024 21:33
-
-
Save shayanb/cd495e23c7cf1a8b269f8ce7fd198538 to your computer and use it in GitHub Desktop.
Token Checklist Table
The link for
DoS with unexpected revert
is broken. I think we can use this one instead
Thank you, updated the link.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The link for
DoS with unexpected revert
is broken. I think we can use this one instead