Among the assets most frequently purloined in the cryptocurrency sector are ERC-20 tokens. Countermeasures devised to address these issues often inadvertently facilitate theft.
An overwhelming majority of the $71.5 million in cryptocurrency lost to phishing scams in March was due to the Ethereum network’s widely used token standard, accounting for 89.5%, as reported by Scam Sniffer.
Theft of these tokens occurred when individuals, unaware of the deceit, authorized actions like “permit” and “increaseAllowance.” These functions, designed to enhance the efficiency of the token standard, have instead introduced new vulnerabilities.
Debuted in 2015, ERC-20 tokens exhibit significant security vulnerabilities, with little prospect of prompt resolution.
“The root of the issue lies in historically poor choices in ERC-20 and Ethereum architectural decisions,” remarked Mikko Ohtamaa, co-founder of the Trading Strategy algorithmic investment protocol, in an interview with the Magazine.
He explained that concerns related to token architecture predominantly afflict Ethereum and, to a lesser extent, Solana.
“The problem has been addressed in alternative chains such as MultiversX, Radix, Cosmos-based counterparts, and others,” Ohtamaa elucidated.
However, the immutable nature of smart contracts complicates attempts to rectify the flaws in ERC-20.
Ethereum serves as the epicenter for phishing activities. (Scam Sniffer)
Deceptive maneuvers: Uniswap’s Permit2
Uniswap’s “Permit2,” a smart contract introduced in 2022, seeks to streamline transactions by enabling users to confer batch token approvals to DApps. This obviates the necessity for individual endorsements for each transaction, thus economizing on gas fees.
Permit2 mirrors its antecedent, “permit,” from Ethereum Improvement Proposal-2612, inaugurating off-chain token endorsements. Since these are not executed on-chain, signing these messages does not entail gas fees.
EIP-2612 serves as an extension of ERC-20, rendering it an elective feature. Nevertheless, most circulating ERC-20 tokens lack this supplement, restricting users from always reaping the…
…
