Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Token Checklist Table
Token Feature Known Vulnerabilities Resources Examples
ERC20 Allowance Double withdrawal (front-running) Resolving the Multiple Withdrawal Attack on ERC20 Tokens
decimals() The decimals can be more than 18 YamV2 has 24 decimals
Not accounting for the tokens that try to prevent multiple withdrawal attack Perpetual Protocol Audit issue 3.12
Unprotected ‍‍‍‍‍‍‍transferFrom() Bancor Network Hack 2020 - 1inch
External Calls Unchecked Call Return Value Unchecked call return value
DoS with unexpected revert DoS with unexpected revert
Transfers Might return False instead of Revert
Missing return value Missing return value bug — At least 130 tokens affected
BalanceOf() Internal Accounting discrepancy with the Actual Balance aToken Withdrawal Vulnerability aToken
Blacklistable Blacklisted addresses cannot receive or send tokens CENTRE appears to have blacklisted an address holding USDC for the first time USDC (FiatToken)
Mintable / Burnable TotalSupply can change by trusted actors
Pausable All functionalities can be paused by trusted actors
Deflationary Tokens Take fees from transfers Internal Accounting discrepancy with the Actual Balance Incident with non-standard ERC20 deflationary tokens STA, STONK
Inflationary Tokens AirDrop interest to token holders Internal Accounting discrepancy with the Actual Balance Compound
ERC1400 Permissioned Addresses Can block transfers from/to specific addresses Polymath tokens
Forced Transfers Trusted actors have the ability to transfer funds however they choose
ERC777 Callbacks / Hooks Reentrancy Uniswap audit, OpenZeppelin Example Uniswap exploit, imBTC Uniswap exploit pTokens
Receiver mining GasToken
Receiver blocks the transfer In case of iterative push transfer can block all transfers
ERC1644 Forced Transfers Controller has the ability to steal funds
ERC621 Control of totalSupply totalSupply can be changed by trusted actors
ERC884 Cancel and Reissue Token implementers have the ability to cancel an address and move its tokens to a new address
Whitelisting Tokens can only be sent to whitelisted addresses
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment