All Projects → sec-bit → Awesome Buggy Erc20 Tokens

sec-bit / Awesome Buggy Erc20 Tokens

Licence: cc0-1.0
A Collection of Vulnerabilities in ERC20 Smart Contracts With Tokens Affected

Programming Languages

python
139335 projects - #7 most used programming language
solidity
1140 projects

Projects that are alternatives of or similar to Awesome Buggy Erc20 Tokens

Erc20 Generator
Create an ERC20 Token for FREE in less than a minute with the most used Smart Contract Generator for ERC20 Token. No login. No setup. No coding required.
Stars: ✭ 202 (-19.52%)
Mutual labels:  ethereum, smart-contracts, dapp, erc20
Awesome Solidity
A curated list of awesome Solidity resources
Stars: ✭ 111 (-55.78%)
Mutual labels:  ethereum, smart-contracts, dapp, vulnerabilities
zeneth
🏵️ Let Your ETH Chill — Gasless Ethereum account abstraction with Flashbots
Stars: ✭ 112 (-55.38%)
Mutual labels:  dapp, smart-contracts, tokens, erc20
Dasp
The Decentralized Application Security Project
Stars: ✭ 166 (-33.86%)
Mutual labels:  ethereum, smart-contracts, dapp, vulnerabilities
Tokens
Tokens, Tokens, Tokens
Stars: ✭ 101 (-59.76%)
Mutual labels:  ethereum, erc20, tokens
Uniflash
A simple and decentralized protocol for flash loan. https://t.me/Uniflash
Stars: ✭ 64 (-74.5%)
Mutual labels:  ethereum, smart-contracts, erc20
Eden Smart Contracts
EDEN - EDN Smart Token & Smart Contracts
Stars: ✭ 109 (-56.57%)
Mutual labels:  ethereum, smart-contracts, erc20
Hashed Timelock Contract Ethereum
Hashed Timelock Contracts for ETH, ERC20 and ERC721 on Ethereum
Stars: ✭ 128 (-49%)
Mutual labels:  ethereum, smart-contracts, erc20
Web3swift
Elegant Web3js functionality in Swift. Native ABI parsing and smart contract interactions.
Stars: ✭ 237 (-5.58%)
Mutual labels:  ethereum, smart-contracts, dapp
Multisender
Token Multisender Dapp smart contract. Airdrop tokens. Batch sending ERC20, ETH, Ethereum tokens. Send thousands of transfers in a few transactions. It can help user to save more tx fee and time than sending one by one
Stars: ✭ 185 (-26.29%)
Mutual labels:  ethereum, dapp, erc20
Alpha Wallet Ios
An advanced Ethereum mobile wallet
Stars: ✭ 140 (-44.22%)
Mutual labels:  ethereum, dapp, erc20
Ethereumbook
Mastering Ethereum, by Andreas M. Antonopoulos, Gavin Wood
Stars: ✭ 11,663 (+4546.61%)
Mutual labels:  ethereum, smart-contracts, dapp
Eth Hodler
A simple DApp & ERC20 token written in Solidity running on the Ethereum blockchain www.hdao.org
Stars: ✭ 31 (-87.65%)
Mutual labels:  ethereum, dapp, erc20
Augmint Web
Augmint Web Frontend
Stars: ✭ 15 (-94.02%)
Mutual labels:  ethereum, smart-contracts, dapp
Eth95
🛠️ A smart contract UI for your Ethereum dapp project
Stars: ✭ 139 (-44.62%)
Mutual labels:  ethereum, smart-contracts, dapp
Set Protocol Contracts
🎛 Set Protocol Smart Contracts
Stars: ✭ 151 (-39.84%)
Mutual labels:  ethereum, smart-contracts, erc20
Uniswap V2 Core
🎛 Core smart contracts of Uniswap V2
Stars: ✭ 889 (+254.18%)
Mutual labels:  ethereum, smart-contracts, erc20
Eth Crypto
Cryptographic javascript-functions for ethereum and tutorials to use them with web3js and solidity
Stars: ✭ 420 (+67.33%)
Mutual labels:  ethereum, smart-contracts, dapp
Eth.social
An Ethereum dApp for posting social events.
Stars: ✭ 17 (-93.23%)
Mutual labels:  ethereum, smart-contracts, dapp
Alpha Wallet Android
An advanced Ethereum mobile wallet
Stars: ✭ 133 (-47.01%)
Mutual labels:  ethereum, smart-contracts, erc20

Awesome Buggy ERC20 Tokens

Join the chat at https://gitter.im/sec-bit/Lobby Awesome PRs Welcome

A Collection of Vulnerabilities in ERC20 Smart Contracts With Tokens Affected

Read the docs in Chinese: https://github.com/sec-bit/awesome-buggy-erc20-tokens/blob/master/README_CN.md

Disclaimers

  • This repo is aimed to notify the community of development security by collecting reported smart contract issues
  • This repo collects all info from public resources and part of analysis is generated by script along with manual checking
  • This repo might not be perfectly accurate, please contact us or submit a pull request when you find something wrong
  • This repo contains no unreported issue
  • This repo might have duplicate names with popular projects, please do not over-decipher this
  • This repo includes some Token contracts without vulnerabilities, while they fail to satisfy specifications
  • This repo has a few problematic Token contracts that have already been fixed properly

Navigation

Recent Updates

Problems in ERC20 Token Contracts

ERC20 standard is one of the most popular Ethereum token standards [1]. As of June 26th, 2018, more than 95,000 ERC20 token smart contracts have been deployed according to statistics from Etherscan. Here is a daily trend chart of ERC20 contracts created according to our statistics:

ERC20 Contracts Created on main Ethereum network every day

Security Incidents in Smart Contracts

ERC20 Token specification has gone through challenges and improvements during its growth. Lots of critical security issues have been revealed, some of which have led to severe financial losses [2-11] for developers, investors, even Ethereum community as well.

On June 18th, 2016, the DAO hack caused a total loss of over 3,600,000 ethers(ETH) worth over a billion dollars, and the Ethereum hard-fork afterwards led to the Ethereum community breaking apart [2].

On April 22th, 2018, the attack on BeautyChain(BEC) contract hardly decreased the token price to zero via pouring astronomical tokens to exchanges through an integer overflow [3]. There are 10 other contracts at least containing this problem.

On April 25th, 2018, a similar integer overflow got uncovered in SMT. Hackers minted and dumped a tremendous amount of tokens, resulting in SMT's collapse [4]. There is one other contract at least containing this problem.

On May 20th, 2018, a critical logical flaw was found in EDU along with other three Token contracts (CVE-2018–11397, CVE-2018–11398), causing that users' balances could be transferred out randomly [5]. After further analysis, we caught this bug in at least 81 contracts [6].

On June 12, 2018, a series of overflow bug in ERC20 smart contracts got uncovered (CVE-2018-11687, CVE-2018-11809, CVE-2018-11810, CVE-2018-11811, CVE-2018-11812) [7]. We have revealed more than 800 contracts with the same problem after scanning over 20,000 contracts deployed on Etherscan [8].

Failure of Satisfying Specification in Many ERC20 contracts

Lots of ERC20 token contracts do not follow the ERC20 standard strictly, which is troublesome to developers of DApps on ERC20 tokens [12-14].

Thousands of deployed Token contracts referred to incorrect example code on Ethereum official website and OpenZeppelin, resulting in several functions failing to meet ERC20 standard. After upgrading Solidity compiler to 0.4.22, incompatibilities would arise and these contracts could not perform normal transactions on decentralized exchanges (DEX) or DApp in most cases [12], whereas a majority of DApp developing teams were off guard and unaware of such a problem.

Several Token contracts added redundant checks in standard approve(), requiring that the approved _amount smaller or equal to the current balance. However, it makes DEX employing protocols like 0x hard to finish approve() in advance, asking the Token developing team transfer a huge amount of tokens to the exchange's intermediate account ahead which violates the target of employing ERC20 standard and brings about inconvenience.

Since it is defined optional to set common querying interfaces like name(), symbol() and decimals() in ERC20 specification [1], many Token contracts left them out or named them differently, such as NAME(), SYMBOL() and DECIMALS(), making it harder for DEX and DApp developing.

Another point worth mentioning is that two events - Transfer and Approval should get fired under certain circumstances described by ERC20 specification [1]. In fact, many Token contracts left out Approval event referring to Ethereum official website [14]. This omission causes great difficulty for developers listening to relevant events, undermining the development of DApp ecosystem.

One Solution: Collecting Buggy Token Contracts

Statistical summaries from security organizations and experts indicate that critical vulnerabilities are hiding in smart contracts, taking the 'TOP 10 in 2018' by NCC group [15] as an example:

  • Reentrancy
  • Access Control
  • Integer Overflow
  • Unchecked Return Values For Low Level Calls
  • Denial of Service
  • Bad Randomness
  • Front-Running
  • Time manipulation
  • Short Address Attack
  • Unknown Unknowns

This might be just the tip of an iceberg. Recent research together with the aforementioned point of view state clearly that the scale of problems in smart contracts deployed on Ethereum may go beyond our imagination.

We made a collection of past bugs and vulnerabilities, including:

  1. vulnerabilities in Token contracts
  2. incompatibilities due to inconsistency with ERC20
  3. excessive authorities of Token administrators [16]

Why This Repo?

There are many projects in Ethereum community contributing to the ecosystem of smart contracts, such as 'A guide to smart contract security best practices' [17] maintained by Consensys and 'OpenZeppelin, a framework to build secure smart contracts on Ethereum' [18] developed by OpenZeppelin.

Also, we found the fact that a majority of issues in buggy Token contracts come from referring, copying and modifying others' code without caution. Also, using incorrect sample code is an origin of bugs. It is difficult for beginners and developers of smart contracts to determine whether a contract snippet from main net contains bugs and identify these issues in seconds.

We would maintain this collection to:

  • provide a reference and learning materials of common bugs in ERC20 token contracts
  • help ERC20 token contract developers to develop correct and secure contracts
  • notice DApp developers of incompatible/buggy/vulnerable ERC20 token contracts
  • warn exchanges and investors of potential risks in incompatible/buggy/insecure ERC20 tokens

What We Collect?

  • Descriptions of common vulnerabilities
  • List of deployed buggy token contracts
  • List of nonstandard token contracts

Repo Structure

awesome-buggy-erc20-tokens
├── token_dict.json
├── token_detail_dict.json
├── ERC20_token_issue_list_CN.md
├── issues.json
├── bad_tokens.all.csv
├── bad_tokens.all.json
├── bad_tokens.top.csv
├── bad_tokens.top.json
├── raw/
├── csv/
├── json/
├── gen_token_detail_dict.py
└── gen_list_from_raw.py

As shown below, lists in CSV and JSON help developers to browse and search for addresses of given contracts with reported vulnerabilities.

addr,category,name,symbol,exchanges,totalSupply,decimals,info
0x014B50466590340D41307Cc54DCee990c8D58aa8,[B6],ICOS,ICOS,@[email protected],560417,6,_
0x093e5C256Ff8B32c7F1377f4C20e331674C77F00,[A2],Dignity,DIG,@Livecoin,3000000000,8,_
{
    "0x014B50466590340D41307Cc54DCee990c8D58aa8": {
        "decimals": 6,
        "exchanges": [
            "HitBTC",
            "Tidex"
        ],
        "info": "_",
        "issues": {
            "no-symbol": true
        },
        "name": "ICOS",
        "rank": 316,
        "symbol": "ICOS",
        "totalSupply": 560417
    },
    "0x093e5C256Ff8B32c7F1377f4C20e331674C77F00": {
        "decimals": 8,
        "exchanges": [
            "Livecoin"
        ],
        "info": "_",
        "issues": {
            "totalsupply-overflow": true
        },
        "name": "Dignity",
        "rank": 613,
        "symbol": "DIG",
        "totalSupply": 3000000000
    }
}

How to Contribute

We hope this collection can contribute to the Ethereum ecosystem by maintaining and updating in a long period and definitely welcome contributions to this collection.

For now we only maintain detailed information of token contracts (totalSupply, decimals, exchanges) that have market caps on CoinMarketCap. If you find any other incompatible/buggy/vulnerable ERC20 token contracts, please update token_dict.json and run script gen_token_detail_dict.py.

If you find other bugs not listed in this collection, please update in the following process.

  • Add the name and description of the bug with reference to ERC20_token_issue_list.md
  • Create a new file with the bug name in raw directory and fill in the address of affected contracts
  • Add the name and index of the new bug to issues.json
  • Run python3 gen_list_from_raw.py -i raw/* -o bad_tokens in the repo root
  • Check the update and send us a pull request

If you have any questions or ideas, please join our discussion on Gitter.

TODO

  • [ ] Add more 'Excessive Authorities' issues:
    • [ ] Minting tokens
    • [ ] Setting trading price
    • [ ] Manipulate other accounts

Technical Partnership

References

License

CC0

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].