ERC-20 代幣：儘管已進行修復，但仍是加密詐騙的溫床

廣泛應用於加密產業的 ERC-20 代幣仍然容易被盜。旨在提高效率的更新引入了惡意行為者利用的新漏洞。儘管問題很嚴重，但針對 ERC-20 代幣的詐騙仍在不斷增加，甚至經驗豐富的加密貨幣用戶也成為受害者。智能合約的不變性使得糾正 ERC-20 設計缺陷的工作變得更加複雜，而社會工程策略仍然是這些攻擊的主要驅動因素。

ERC-20 Tokens: A Breeding Ground for Crypto Scams, Despite Intended Fixes

ERC-20 代幣：加密貨幣詐騙的滋生地，儘管有意修復

Introduction

介紹

ERC-20 tokens, the ubiquitous token standard on the Ethereum network, have become a prime target for malicious actors, accounting for a staggering 89.5% of crypto losses due to phishing scams in March alone. This alarming statistic underscores the inherent vulnerabilities within the ERC-20 design, which have been inadvertently exacerbated by updates intended to enhance efficiency.

ERC-20 代幣是以太坊網路上無處不在的代幣標準，已成為惡意行為者的主要目標，僅 3 月份，網路釣魚詐騙造成的加密貨幣損失就高達 89.5%。這令人震驚的統計數據凸顯了 ERC-20 設計中固有的漏洞，而旨在提高效率的更新無意中加劇了這些漏洞。

Historical Context and Design Flaws

歷史背景與設計缺陷

Introduced in 2015, ERC-20 tokens have long suffered from gaping security holes. These flaws stem from fundamental design decisions made early on, according to Mikko Ohtamaa, co-founder of Trading Strategy. These design flaws are particularly problematic for Ethereum and Solana, while other chains have implemented fixes.

ERC-20 代幣於 2015 年推出，長期以來一直存在安全漏洞。 Trading Strategy 共同創辦人 Mikko Ohtamaa 表示，這些缺陷源自於早期做出的基本設計決策。這些設計缺陷對於以太坊和 Solana 來說尤其成問題，而其他鏈已經實施了修復。

However, the immutable nature of smart contracts complicates efforts to rectify the shortcomings of ERC-20 tokens, further exacerbating the problem.

然而，智能合約的不可變性使得糾正 ERC-20 代幣缺點的工作變得更加複雜，從而進一步加劇了問題。

Uniswap's Permit2: A Case Study in Unintended Consequences

Uniswap 的 Permit2：意外後果的案例研究

Uniswap's Permit2, launched in 2022, aimed to enhance transactions by allowing batch token approvals for DApps. This update aimed to reduce gas fees by eliminating the need for separate approvals for each transaction.

Uniswap 的 Permit2 於 2022 年推出，旨在透過允許 DApp 的批量代幣批准來增強交易。此更新旨在透過消除每筆交易單獨批准的需要來降低天然氣費用。

However, as security researcher Roman Rakhlin demonstrated shortly after its release, illicit actors could obtain permit signatures through phishing schemes, facilitating the theft of tokens from unsuspecting victims. Despite his warnings, Uniswap has yet to respond to requests for comment.

然而，正如安全研究員 Roman Rakhlin 在其發布後不久所證明的那樣，非法行為者可以透過網路釣魚計畫獲得許可簽名，從而促進從毫無戒心的受害者那裡竊取代幣。儘管他發出警告，Uniswap 尚未回應置評請求。

ERC-20 and Cryptocurrency Scams

ERC-20 和加密貨幣詐騙

ERC-20 tokens, despite their shortcomings, revolutionized the creation and use of fungible tokens on Ethereum. However, their interactions with smart contracts differ significantly from Ether, the native currency, creating opportunities for malicious actors.

ERC-20 代幣儘管有缺陷，但卻徹底改變了以太坊上可替代代幣的創建和使用。然而，它們與智慧合約的互動與原生貨幣以太坊有很大不同，這為惡意行為者創造了機會。

For instance, malicious entities can exploit the approval process required for ERC-20 token interactions with smart contracts, tricking users into signing fraudulent messages. Mikhail Vladimirov, an Ethereum developer and auditor, highlights this fundamental flaw in the standard's design.

例如，惡意實體可以利用 ERC-20 代幣與智能合約互動所需的審批流程，誘騙用戶簽署詐欺訊息。以太坊開發者兼審計員 Mikhail Vladimirov 強調了該標準設計中的這一根本缺陷。

Moreover, functions such as increaseAllowance and decreaseAllowance, introduced in 2017 to address theoretical attack vectors, have themselves become avenues for scams. Lev Menshikov, a security researcher at Oxorio, explains that attackers can manipulate the increasedAllowance function to trick users into increasing token allowances, enabling the theft of approved tokens.

此外，2017 年為解決理論上的攻擊向量而引入的increaseAllowance 和decreaseAllowance 等功能本身也成為了詐騙的途徑。 Oxorio 的安全研究員 Lev Menshikov 解釋說，攻擊者可以操縱increaseAllowance 函數來誘騙用戶增加代幣限額，從而竊取已批准的代幣。

The Immutable Curse: A Roadblock to Security

永恆的詛咒：安全的障礙

Despite efforts to mitigate the risks associated with the increasedAllowance function, its removal from the ERC-20 contract and relocation to an extension highlight the limitations imposed by the immutability of smart contracts. Existing tokens cannot be modified, leaving them vulnerable to scams.

儘管努力減輕與增加的Allowance功能相關的風險，但它從ERC-20合約中刪除並重新定位到擴展凸顯了智能合約的不變性所帶來的限制。現有的代幣無法修改，因此容易受到詐騙。

While upgradable proxies and intermediary contracts offer workarounds, they cannot eliminate the fundamental attack vector posed by the approve function.

雖然可升級代理和中介合約提供了解決方法，但它們無法消除批准功能帶來的基本攻擊向量。

Social Engineering: A Primary Facilitator

社會工程：主要推動者

Vladimirov argues that the proliferation of scams is primarily attributable to social engineering tactics that exploit human vulnerabilities rather than technological flaws. He emphasizes the need for wallets to adopt simpler, more user-friendly interfaces to reduce susceptibility to scams.

弗拉基米羅夫認為，詐騙的氾濫主要歸因於利用人類漏洞而不是技術缺陷的社會工程策略。他強調錢包需要採用更簡單、更用戶友好的介面，以降低受騙的可能性。

Phishing Attacks: A Growing Threat

網路釣魚攻擊：日益嚴重的威脅

Phishing attacks have become increasingly sophisticated, targeting even experienced crypto users like Necksus, a crypto miner and intelligence analyst. Necksus fell victim to a phishing scheme that resulted in a significant loss of funds.

網路釣魚攻擊變得越來越複雜，甚至針對像加密礦工和情報分析師 Necksus 這樣經驗豐富的加密用戶。 Necksus 成為網路釣魚計畫的受害者，導致重大資金損失。

Even users who employ additional precautionary measures, such as transaction simulators, are not immune to these attacks. Oxorio's Menshikov warns of emerging trends in phishing, such as attacks targeting ENS domain owners.

即使使用者採取了額外的預防措施（例如交易模擬器），也不能免於這些攻擊。 Oxorio 的 Menshikov 警告網路釣魚的新趨勢，例如針對 ENS 網域所有者的攻擊。

Solutions: The Elusive Panacea

解決方案：難以捉摸的靈丹妙藥

Vladimirov believes that on-chain solutions are inadequate to combat phishing attacks, emphasizing the role of social engineering as a longstanding problem that predates cryptocurrency. He advocates for the development of security tools that can alert users to known attack vectors.

Vladimirov 認為，鏈上解決方案不足以對抗網路釣魚攻擊，並強調社會工程學的作用是早在加密貨幣出現之前就存在的長期問題。他主張開發可以提醒使用者已知攻擊媒介的安全工具。

Larry the Cucumber, co-founder of Pickle Finance, recommends using security tools like WalletGuard and Pocket Universe to detect malicious URLs and protect against wallet drainers.

Pickle Finance 聯合創始人 Larry the Cucumber 建議使用 WalletGuard 和 Pocket Universe 等安全工具來偵測惡意 URL 並防止錢包被盜。

Pcaversaccio, an independent security researcher, urges extreme caution, advising users to be suspicious of all communications and to carefully scrutinize every transaction they sign.

獨立安全研究員 Pcaversaccio 敦促用戶極度謹慎，建議用戶對所有通訊保持懷疑，並仔細審查他們簽署的每筆交易。

A Cynical Perspective

憤世嫉俗的觀點

Ohtamaa offers a somewhat cynical view, suggesting that addressing the issue would be less profitable than offering remedies after the fact. He cites the adage, "It is always more profitable to sell aspirin than to cure the patient."

Ohtamaa 提出了一種有些憤世嫉俗的觀點，認為解決這個問題比事後提供補救措施的利潤要低。他引用了一句格言：“銷售阿斯匹靈總是比治愈病人更有利可圖。”

Conclusion

結論

ERC-20 tokens, despite their ubiquitous presence, remain vulnerable to scams due to inherent design flaws and the immutability of smart contracts. While efforts have been made to address these vulnerabilities, the proliferation of social engineering tactics has made phishing attacks an ever-present threat. The onus falls on the security community to develop tools and educate users to mitigate these risks. Until then, the crypto landscape will continue to be plagued by scams that exploit the weaknesses of the ERC-20 standard.

ERC-20 代幣儘管無處不在，但由於固有的設計缺陷和智能合約的不變性，仍然容易受到詐騙。儘管我們已努力解決這些漏洞，但社會工程策略的激增使網路釣魚攻擊成為始終存在的威脅。安全社群有責任開發工具並教育使用者降低這些風險。在那之前，加密貨幣領域將繼續受到利用 ERC-20 標準弱點的詐騙的困擾。