TokenHook: Secure ERC-20 smart contract

TL;DR

This paper analyzes security vulnerabilities in ERC-20 tokens, provides a more secure implementation in Vyper and Solidity, and evaluates static analysis tools' effectiveness in detecting ERC-20 specific issues.

Contribution

It systemizes ERC-20 vulnerabilities, offers a new secure implementation, and assesses static analysis tools' performance in identifying token-specific security flaws.

Findings

Large inconsistencies across static analysis tools

High false positive rates in vulnerability detection

Room for improvement in security analysis tools

Abstract

ERC-20 is the most prominent Ethereum standard for fungible tokens. Tokens implementing the ERC-20 interface can interoperate with a large number of already deployed internet-based services and Ethereum-based smart contracts. In recent years, security vulnerabilities in ERC-20 have received special attention due to their widespread use and increased value. We systemize these vulnerabilities and their applicability to ERC-20 tokens, which has not been done before. Next, we use our domain expertise to provide a new implementation of the ERC-20 interface that is freely available in Vyper and Solidity, and has enhanced security properties and stronger compliance with best practices compared to the sole surviving reference implementation (from OpenZeppelin) in the ERC-20 specification. Finally, we use our implementation to study the effectiveness of seven static analysis tools, designed for general smart contracts, for identifying ERC-20 specific vulnerabilities. We find large inconsistencies across the tools and a high number of false positives which shows there is room for further improvement of these tools.