ERC-20 代币：尽管已进行修复，但仍是加密诈骗的滋生地

广泛应用于加密行业的 ERC-20 代币仍然容易被盗。旨在提高效率的更新引入了恶意行为者利用的新漏洞。尽管问题很严重，但针对 ERC-20 代币的诈骗仍在不断增加，甚至经验丰富的加密货币用户也成为受害者。智能合约的不变性使得纠正 ERC-20 设计缺陷的工作变得更加复杂，而社会工程策略仍然是这些攻击的主要驱动因素。

ERC-20 Tokens: A Breeding Ground for Crypto Scams, Despite Intended Fixes

ERC-20 代币：加密货币诈骗的滋生地，尽管有意修复

Introduction

介绍

ERC-20 tokens, the ubiquitous token standard on the Ethereum network, have become a prime target for malicious actors, accounting for a staggering 89.5% of crypto losses due to phishing scams in March alone. This alarming statistic underscores the inherent vulnerabilities within the ERC-20 design, which have been inadvertently exacerbated by updates intended to enhance efficiency.

ERC-20 代币是以太坊网络上无处不在的代币标准，已成为恶意行为者的主要目标，仅 3 月份，网络钓鱼诈骗造成的加密货币损失就高达 89.5%。这一令人震惊的统计数据凸显了 ERC-20 设计中固有的漏洞，而旨在提高效率的更新无意中加剧了这些漏洞。

Historical Context and Design Flaws

历史背景和设计缺陷

Introduced in 2015, ERC-20 tokens have long suffered from gaping security holes. These flaws stem from fundamental design decisions made early on, according to Mikko Ohtamaa, co-founder of Trading Strategy. These design flaws are particularly problematic for Ethereum and Solana, while other chains have implemented fixes.

ERC-20 代币于 2015 年推出，长期以来一直存在安全漏洞。 Trading Strategy 联合创始人 Mikko Ohtamaa 表示，这些缺陷源于早期做出的基本设计决策。这些设计缺陷对于以太坊和 Solana 来说尤其成问题，而其他链已经实施了修复。

However, the immutable nature of smart contracts complicates efforts to rectify the shortcomings of ERC-20 tokens, further exacerbating the problem.

然而，智能合约的不可变性使得纠正 ERC-20 代币缺点的工作变得更加复杂，从而进一步加剧了问题。

Uniswap's Permit2: A Case Study in Unintended Consequences

Uniswap 的 Permit2：意外后果的案例研究

Uniswap's Permit2, launched in 2022, aimed to enhance transactions by allowing batch token approvals for DApps. This update aimed to reduce gas fees by eliminating the need for separate approvals for each transaction.

Uniswap 的 Permit2 于 2022 年推出，旨在通过允许 DApp 的批量代币批准来增强交易。此更新旨在通过消除每笔交易单独批准的需要来降低天然气费用。

However, as security researcher Roman Rakhlin demonstrated shortly after its release, illicit actors could obtain permit signatures through phishing schemes, facilitating the theft of tokens from unsuspecting victims. Despite his warnings, Uniswap has yet to respond to requests for comment.

然而，正如安全研究员 Roman Rakhlin 在其发布后不久所证明的那样，非法行为者可以通过网络钓鱼计划获得许可签名，从而促进从毫无戒心的受害者那里窃取代币。尽管他发出警告，Uniswap 尚未回应置评请求。

ERC-20 and Cryptocurrency Scams

ERC-20 和加密货币诈骗

ERC-20 tokens, despite their shortcomings, revolutionized the creation and use of fungible tokens on Ethereum. However, their interactions with smart contracts differ significantly from Ether, the native currency, creating opportunities for malicious actors.

ERC-20 代币尽管存在缺陷，但却彻底改变了以太坊上可替代代币的创建和使用。然而，它们与智能合约的交互与原生货币以太坊有很大不同，这为恶意行为者创造了机会。

For instance, malicious entities can exploit the approval process required for ERC-20 token interactions with smart contracts, tricking users into signing fraudulent messages. Mikhail Vladimirov, an Ethereum developer and auditor, highlights this fundamental flaw in the standard's design.

例如，恶意实体可以利用 ERC-20 代币与智能合约交互所需的审批流程，诱骗用户签署欺诈消息。以太坊开发者兼审计员 Mikhail Vladimirov 强调了该标准设计中的这一根本缺陷。

Moreover, functions such as increaseAllowance and decreaseAllowance, introduced in 2017 to address theoretical attack vectors, have themselves become avenues for scams. Lev Menshikov, a security researcher at Oxorio, explains that attackers can manipulate the increasedAllowance function to trick users into increasing token allowances, enabling the theft of approved tokens.

此外，2017 年为解决理论上的攻击向量而引入的increaseAllowance 和decreaseAllowance 等功能本身也成为了诈骗的途径。 Oxorio 的安全研究员 Lev Menshikov 解释说，攻击者可以操纵increaseAllowance 函数来诱骗用户增加代币限额，从而窃取已批准的代币。

The Immutable Curse: A Roadblock to Security

永恒的诅咒：安全的障碍

Despite efforts to mitigate the risks associated with the increasedAllowance function, its removal from the ERC-20 contract and relocation to an extension highlight the limitations imposed by the immutability of smart contracts. Existing tokens cannot be modified, leaving them vulnerable to scams.

尽管努力减轻与增加的Allowance功能相关的风险，但它从ERC-20合约中删除并重新定位到扩展凸显了智能合约的不变性所带来的限制。现有的代币无法修改，因此很容易受到诈骗。

While upgradable proxies and intermediary contracts offer workarounds, they cannot eliminate the fundamental attack vector posed by the approve function.

虽然可升级代理和中介合约提供了解决方法，但它们无法消除批准功能带来的基本攻击向量。

Social Engineering: A Primary Facilitator

社会工程：主要推动者

Vladimirov argues that the proliferation of scams is primarily attributable to social engineering tactics that exploit human vulnerabilities rather than technological flaws. He emphasizes the need for wallets to adopt simpler, more user-friendly interfaces to reduce susceptibility to scams.

弗拉基米罗夫认为，诈骗的泛滥主要归因于利用人类漏洞而不是技术缺陷的社会工程策略。他强调钱包需要采用更简单、更用户友好的界面，以降低受骗的可能性。

Phishing Attacks: A Growing Threat

网络钓鱼攻击：日益严重的威胁

Phishing attacks have become increasingly sophisticated, targeting even experienced crypto users like Necksus, a crypto miner and intelligence analyst. Necksus fell victim to a phishing scheme that resulted in a significant loss of funds.

网络钓鱼攻击变得越来越复杂，甚至针对像加密矿工和情报分析师 Necksus 这样经验丰富的加密用户。 Necksus 成为网络钓鱼计划的受害者，导致重大资金损失。

Even users who employ additional precautionary measures, such as transaction simulators, are not immune to these attacks. Oxorio's Menshikov warns of emerging trends in phishing, such as attacks targeting ENS domain owners.

即使用户采取了额外的预防措施（例如交易模拟器），也不能免受这些攻击。 Oxorio 的 Menshikov 警告网络钓鱼的新趋势，例如针对 ENS 域名所有者的攻击。

Solutions: The Elusive Panacea

解决方案：难以捉摸的灵丹妙药

Vladimirov believes that on-chain solutions are inadequate to combat phishing attacks, emphasizing the role of social engineering as a longstanding problem that predates cryptocurrency. He advocates for the development of security tools that can alert users to known attack vectors.

Vladimirov 认为，链上解决方案不足以对抗网络钓鱼攻击，并强调社会工程学的作用是早在加密货币出现之前就存在的一个长期问题。他主张开发可以提醒用户已知攻击媒介的安全工具。

Larry the Cucumber, co-founder of Pickle Finance, recommends using security tools like WalletGuard and Pocket Universe to detect malicious URLs and protect against wallet drainers.

Pickle Finance 联合创始人 Larry the Cucumber 建议使用 WalletGuard 和 Pocket Universe 等安全工具来检测恶意 URL 并防止钱包被盗。

Pcaversaccio, an independent security researcher, urges extreme caution, advising users to be suspicious of all communications and to carefully scrutinize every transaction they sign.

独立安全研究员 Pcaversaccio 敦促用户极度谨慎，建议用户对所有通信保持怀疑，并仔细审查他们签署的每笔交易。

A Cynical Perspective

愤世嫉俗的观点

Ohtamaa offers a somewhat cynical view, suggesting that addressing the issue would be less profitable than offering remedies after the fact. He cites the adage, "It is always more profitable to sell aspirin than to cure the patient."

Ohtamaa 提出了一种有些愤世嫉俗的观点，认为解决这个问题比事后提供补救措施的利润要低。他引用了一句格言：“销售阿司匹林总是比治愈病人更有利可图。”

Conclusion

结论

ERC-20 tokens, despite their ubiquitous presence, remain vulnerable to scams due to inherent design flaws and the immutability of smart contracts. While efforts have been made to address these vulnerabilities, the proliferation of social engineering tactics has made phishing attacks an ever-present threat. The onus falls on the security community to develop tools and educate users to mitigate these risks. Until then, the crypto landscape will continue to be plagued by scams that exploit the weaknesses of the ERC-20 standard.

ERC-20 代币尽管无处不在，但由于固有的设计缺陷和智能合约的不变性，仍然容易受到诈骗。尽管我们已努力解决这些漏洞，但社会工程策略的激增使网络钓鱼攻击成为一种始终存在的威胁。安全社区有责任开发工具并教育用户降低这些风险。在那之前，加密货币领域将继续受到利用 ERC-20 标准弱点的诈骗的困扰。