# Resolving the Multiple Withdrawal Attack on ERC20 Tokens

**Authors:** Reza Rahimian, Shayan Eskandari, Jeremy Clark

arXiv: 1907.00903 · 2019-07-02

## TL;DR

This paper analyzes the 'multiple withdrawal attack' on ERC20 tokens, evaluates existing mitigations, and proposes two new solutions, one fully compatible with the standard, to enhance security against this vulnerability.

## Contribution

The paper provides a comprehensive evaluation of existing mitigations for the ERC20 multiple withdrawal attack and introduces two novel solutions, one standard-compliant, to improve security.

## Key findings

- No existing mitigation fully resolves the attack.
- One proposed solution is fully compatible with ERC20 standards.
- The second solution reveals limitations in the approve method.

## Abstract

Custom tokens are an integral component of decentralized applications (dapps) deployed on Ethereum and other blockchain platforms. For Ethereum, the ERC20 standard is a widely used token interface and is interoperable with many existing dapps, user interface platforms, and popular web applications (e.g., exchange services). An ERC20 security issue, known as the "multiple withdrawal attack", was raised on GitHub and has been open since November 2016. The issue concerns ERC20's defined method approve() which was envisioned as a way for token holders to give permission for other users and dapps to withdraw a capped number of tokens. The security issue arises when a token holder wants to adjust the amount of approved tokens from N to M (this could be an increase or decrease). If malicious, a user or dapp who is approved for N tokens can front-run the adjustment transaction to first withdraw N tokens, then allow the approval to be confirmed, and withdraw an additional M tokens. In this paper, we evaluate 10 proposed mitigations for this issues and find that no solution is fully satisfactory. We then propose 2 new solutions that mitigate the attack, one of which fully fulfills constraints of the standard, and the second one shows a general limitation in addressing this issue from ERC20's approve method.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1907.00903/full.md

## Figures

13 figures with captions in the complete paper: https://tomesphere.com/paper/1907.00903/full.md

## References

24 references — full list in the complete paper: https://tomesphere.com/paper/1907.00903/full.md

---
Source: https://tomesphere.com/paper/1907.00903