|
|
@@ -0,0 +1,24 @@ |
|
|
| Token | Feature | Known Vulnerabilities | Resources | Examples | |
|
|
|:--------------------------:|:----------------------------------------:|:---------------------------------------------------------------------------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------:| |
|
|
| ERC20 | **Allowance** | Double withdrawal (front-running) | [Resolving the Multiple Withdrawal Attack on ERC20 Tokens](https://users.encs.concordia.ca/~clark/papers/2019_sb_erc20.pdf) | | |
|
|
| | | Not accounting for the tokens that try to prevent multiple withdrawal attack | [Perpetual Protocol Audit issue 3.12](https://github.com/peckshield/publications/blob/f2c00358fd37332fdeffa12355a9a5d4330c9f95/audit_reports/perpfi_audit_report_2020_46_en_1_0.pdf) | | |
|
|
| | | Unprotected *transferFrom()* | [Bancor Network Hack 2020 - 1inch](https://medium.com/@1inch.exchange/bancor-network-hack-2020-3c71444fd59d) | | |
|
|
| | **External Calls** | Unchecked Call Return Value | [Unchecked call return value](https://swcregistry.io/docs/SWC-104) | | |
|
|
| | | DoS with unexpected revert | [DoS with unexpected revert](https://consensys.github.io/smart-contract-best-practices/known_attacks/#dos-with-unexpected-revert) | | |
|
|
| | **Transfers** | Might return False instead of Revert | | | |
|
|
| | | Missing return value | [Missing return value bug — At least 130 tokens affected](https://medium.com/coinmonks/missing-return-value-bug-at-least-130-tokens-affected-d67bf08521ca) | | |
|
|
| | **BalanceOf()** | Internal Accounting discrepancy with the Actual Balance | [aToken Withdrawal Vulnerability](https://medium.com/trustless-fund/atoken-withdrawal-vulnerability-disclosure-5d8eadc64539) | aToken | |
|
|
| | **Blacklistable** | Blacklisted addresses cannot receive or send tokens | [CENTRE appears to have blacklisted an address holding USDC for the first time](https://www.theblockcrypto.com/linked/70850/centre-appears-to-have-blacklisted-an-address-holding-usdc-for-the-first-time) | USDC (FiatToken) | |
|
|
| | **Mintable / Burnable** | TotalSupply can change by trusted actors | | | |
|
|
| | **Pausable** | All functionalities can be paused by trusted actors | | | |
|
|
| Deflationary Tokens | **Take fees from transfers** | Internal Accounting discrepancy with the Actual Balance | [Incident with non-standard ERC20 deflationary tokens](https://medium.com/balancer-protocol/incident-with-non-standard-erc20-deflationary-tokens-95a0f6d46dea) | STA, STONK | |
|
|
| Inflationary Tokens | **AirDrop interest to token holders** | Internal Accounting discrepancy with the Actual Balance | | Compound | |
|
|
| ERC1400 | **Permissioned Addresses** | Can block transfers from/to specific addresses | | Polymath tokens | |
|
|
| | **Forced Transfers** | Trusted actors have the ability to transfer funds however they choose | | | |
|
|
| ERC777 | **Callbacks / Hooks** | Reentrancy | [Uniswap audit](https://medium.com/consensys-diligence/uniswap-audit-b90335ac007), [OpenZeppelin Example Uniswap exploit](https://github.com/OpenZeppelin/exploit-uniswap), [imBTC Uniswap exploit](https://defirate.com/imbtc-uniswap-hack/) | pTokens | |
|
|
| | | Receiver mining GasToken | | | |
|
|
| | | Receiver blocks the transfer | In case of iterative push transfer can block all transfers | | |
|
|
| ERC1644 | **Forced Transfers** | Controller has the ability to steal funds | | | |
|
|
| ERC621 | **Control of totalSupply** | totalSupply can be changed by trusted actors | | | |
|
|
| ERC884 | **Cancel and Reissue** | Token implementers have the ability to cancel an address and move its tokens to a new address | | | |
|
|
| | **Whitelisting** | Tokens can only be sent to whitelisted addresses | | | |
shayanb revised this gist