TokenHook: Secure ERC-20 smart contract
This addresses security risks for users and developers of ERC-20 tokens, which are widely used in Ethereum, but it is incremental as it builds on existing standards and tools.
The authors tackled security vulnerabilities in ERC-20 smart contracts by systemizing these issues and providing a new, more secure implementation in Vyper and Solidity, while also evaluating seven static analysis tools and finding inconsistencies and high false positives.
ERC-20 is the most prominent Ethereum standard for fungible tokens. Tokens implementing the ERC-20 interface can interoperate with a large number of already deployed internet-based services and Ethereum-based smart contracts. In recent years, security vulnerabilities in ERC-20 have received special attention due to their widespread use and increased value. We systemize these vulnerabilities and their applicability to ERC-20 tokens, which has not been done before. Next, we use our domain expertise to provide a new implementation of the ERC-20 interface that is freely available in Vyper and Solidity, and has enhanced security properties and stronger compliance with best practices compared to the sole surviving reference implementation (from OpenZeppelin) in the ERC-20 specification. Finally, we use our implementation to study the effectiveness of seven static analysis tools, designed for general smart contracts, for identifying ERC-20 specific vulnerabilities. We find large inconsistencies across the tools and a high number of false positives which shows there is room for further improvement of these tools.