ERC-20 Tokens: A Breeding Ground for Crypto Scams Despite Intended Fixes

ERC-20 tokens, widely used in the crypto industry, remain vulnerable to theft. Updates intended to enhance efficiency have introduced new loopholes that malicious actors exploit. Despite the seriousness of the issue, scams targeting ERC-20 tokens continue to rise, with even experienced crypto users falling victim. The immutable nature of smart contracts complicates efforts to rectify flaws in ERC-20 design, while social engineering tactics remain a major driver of these attacks.

ERC-20 Tokens: A Breeding Ground for Crypto Scams, Despite Intended Fixes

Introduction

ERC-20 tokens, the ubiquitous token standard on the Ethereum network, have become a prime target for malicious actors, accounting for a staggering 89.5% of crypto losses due to phishing scams in March alone. This alarming statistic underscores the inherent vulnerabilities within the ERC-20 design, which have been inadvertently exacerbated by updates intended to enhance efficiency.

Historical Context and Design Flaws

Introduced in 2015, ERC-20 tokens have long suffered from gaping security holes. These flaws stem from fundamental design decisions made early on, according to Mikko Ohtamaa, co-founder of Trading Strategy. These design flaws are particularly problematic for Ethereum and Solana, while other chains have implemented fixes.

However, the immutable nature of smart contracts complicates efforts to rectify the shortcomings of ERC-20 tokens, further exacerbating the problem.

Uniswap's Permit2: A Case Study in Unintended Consequences

Uniswap's Permit2, launched in 2022, aimed to enhance transactions by allowing batch token approvals for DApps. This update aimed to reduce gas fees by eliminating the need for separate approvals for each transaction.

However, as security researcher Roman Rakhlin demonstrated shortly after its release, illicit actors could obtain permit signatures through phishing schemes, facilitating the theft of tokens from unsuspecting victims. Despite his warnings, Uniswap has yet to respond to requests for comment.

ERC-20 and Cryptocurrency Scams

ERC-20 tokens, despite their shortcomings, revolutionized the creation and use of fungible tokens on Ethereum. However, their interactions with smart contracts differ significantly from Ether, the native currency, creating opportunities for malicious actors.

For instance, malicious entities can exploit the approval process required for ERC-20 token interactions with smart contracts, tricking users into signing fraudulent messages. Mikhail Vladimirov, an Ethereum developer and auditor, highlights this fundamental flaw in the standard's design.

Moreover, functions such as increaseAllowance and decreaseAllowance, introduced in 2017 to address theoretical attack vectors, have themselves become avenues for scams. Lev Menshikov, a security researcher at Oxorio, explains that attackers can manipulate the increasedAllowance function to trick users into increasing token allowances, enabling the theft of approved tokens.

The Immutable Curse: A Roadblock to Security

Despite efforts to mitigate the risks associated with the increasedAllowance function, its removal from the ERC-20 contract and relocation to an extension highlight the limitations imposed by the immutability of smart contracts. Existing tokens cannot be modified, leaving them vulnerable to scams.

While upgradable proxies and intermediary contracts offer workarounds, they cannot eliminate the fundamental attack vector posed by the approve function.

Social Engineering: A Primary Facilitator

Vladimirov argues that the proliferation of scams is primarily attributable to social engineering tactics that exploit human vulnerabilities rather than technological flaws. He emphasizes the need for wallets to adopt simpler, more user-friendly interfaces to reduce susceptibility to scams.

Phishing Attacks: A Growing Threat

Phishing attacks have become increasingly sophisticated, targeting even experienced crypto users like Necksus, a crypto miner and intelligence analyst. Necksus fell victim to a phishing scheme that resulted in a significant loss of funds.

Even users who employ additional precautionary measures, such as transaction simulators, are not immune to these attacks. Oxorio's Menshikov warns of emerging trends in phishing, such as attacks targeting ENS domain owners.

Solutions: The Elusive Panacea

Vladimirov believes that on-chain solutions are inadequate to combat phishing attacks, emphasizing the role of social engineering as a longstanding problem that predates cryptocurrency. He advocates for the development of security tools that can alert users to known attack vectors.

Larry the Cucumber, co-founder of Pickle Finance, recommends using security tools like WalletGuard and Pocket Universe to detect malicious URLs and protect against wallet drainers.

Pcaversaccio, an independent security researcher, urges extreme caution, advising users to be suspicious of all communications and to carefully scrutinize every transaction they sign.

A Cynical Perspective

Ohtamaa offers a somewhat cynical view, suggesting that addressing the issue would be less profitable than offering remedies after the fact. He cites the adage, "It is always more profitable to sell aspirin than to cure the patient."

Conclusion

ERC-20 tokens, despite their ubiquitous presence, remain vulnerable to scams due to inherent design flaws and the immutability of smart contracts. While efforts have been made to address these vulnerabilities, the proliferation of social engineering tactics has made phishing attacks an ever-present threat. The onus falls on the security community to develop tools and educate users to mitigate these risks. Until then, the crypto landscape will continue to be plagued by scams that exploit the weaknesses of the ERC-20 standard.