Skip to content

Instantly share code, notes, and snippets.

@shayanb
Last active February 15, 2024 14:48
  • Star 35 You must be signed in to star a gist
  • Fork 10 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save shayanb/cd495e23c7cf1a8b269f8ce7fd198538 to your computer and use it in GitHub Desktop.
Token Checklist Table
Token Feature Known Vulnerabilities Resources Examples
ERC20 Allowance Double withdrawal (front-running) Resolving the Multiple Withdrawal Attack on ERC20 Tokens
decimals() The decimals can be more than 18 YamV2 has 24 decimals
Not accounting for the tokens that try to prevent multiple withdrawal attack Perpetual Protocol Audit issue 3.12
Unprotected ‍‍‍‍‍‍‍transferFrom() Bancor Network Hack 2020 - 1inch
External Calls Unchecked Call Return Value Unchecked call return value
DoS with unexpected revert DoS with unexpected revert
Transfers Might return False instead of Revert
Missing return value Missing return value bug — At least 130 tokens affected
BalanceOf() Internal Accounting discrepancy with the Actual Balance aToken Withdrawal Vulnerability aToken
Blacklistable Blacklisted addresses cannot receive or send tokens CENTRE appears to have blacklisted an address holding USDC for the first time USDC (FiatToken)
Mintable / Burnable TotalSupply can change by trusted actors
Pausable All functionalities can be paused by trusted actors
Deflationary Tokens Take fees from transfers Internal Accounting discrepancy with the Actual Balance Incident with non-standard ERC20 deflationary tokens STA, STONK
Inflationary Tokens AirDrop interest to token holders Internal Accounting discrepancy with the Actual Balance Compound
ERC1400 Permissioned Addresses Can block transfers from/to specific addresses Polymath tokens
Forced Transfers Trusted actors have the ability to transfer funds however they choose
ERC777 Callbacks / Hooks Reentrancy Uniswap audit, OpenZeppelin Example Uniswap exploit, imBTC Uniswap exploit pTokens
Receiver mining GasToken
Receiver blocks the transfer In case of iterative push transfer can block all transfers
ERC1644 Forced Transfers Controller has the ability to steal funds
ERC621 Control of totalSupply totalSupply can be changed by trusted actors
ERC884 Cancel and Reissue Token implementers have the ability to cancel an address and move its tokens to a new address
Whitelisting Tokens can only be sent to whitelisted addresses
@seaona
Copy link

seaona commented Aug 16, 2023

The link for DoS with unexpected revert is broken. I think we can use this one instead

@shayanb
Copy link
Author

shayanb commented Aug 20, 2023

The link for DoS with unexpected revert is broken. I think we can use this one instead

Thank you, updated the link.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment