99% of ERC20 tokens have vulnerabilities
99% of ERC20 tokens have vulnerabilities

99% of ERC20 tokens have vulnerabilities

By Alfredo de Candia - 26 Aug 2020

Chevron down

According to a recent research conducted by a team of Australian-Chinese universities, 99% of ERC20 tokens created before 2017 have vulnerabilities and are exposed to an attack called “Fake Deposit” that makes them unsafe, especially on the exchange side.

This type of attack exploits a bug in the token balance and, unless a check is put on some functions such as “transfer” and “transferFrom”, there is a risk that the ERC20 will end up in the accounts of criminals who invoke these functions.

The numbers of the report

The team analyzed more than 176 thousand tokens based on the Ethereum blockchain and of these, 7772 tokens were identified as susceptible to this problem.

We are talking about 4.42% of the tokens that are still in circulation, a figure that may seem small but which also includes very famous tokens.

In fact, among the tokens that are in this list there are, only to name the most famous ones: 

  • BRC, 
  • the Huobi token (HPT), 
  • RPL, 
  • PWR,
  • BAT the token of the famous browser Brave.

These tokens, especially if found on exchanges, seem to be susceptible to theft, exploiting the bug identified by this university research.

The percentage could have been more frightening but thanks to the introduction of EIP-20 in 2017, related precisely to the management of tokens, the problem has been solved.

Exchanges are also in danger

The report also says that only some of the most famous tokens have been revealed but there are others, less important, that have this kind of problem. 

This bug also affects several exchanges and only some of them have taken security measures to deal with it.

The researchers therefore invite to update the platforms because there may be further losses of these tokens in the future, so it is possible to expect at least another 7 thousand different attacks against centralized exchanges, which by their very nature store the tokens of thousands of users.

Alfredo de Candia

Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.

We use cookies to make sure you can have the best experience on our site. If you continue to use this site we will assume that you are happy with it.