ERC-20 tokens are among the most frequently stolen assets in the crypto industry, and even some of the updates intended to fix the issues are inadvertently facilitating theft.
The Ethereum network’s near-ubiquitous token standard accounted for 89.5% of the $71.5 million worth of crypto lost to phishing scams in March, according to Scam Sniffer.
These tokens were stolen as a result of victims unwittingly being phished and approving functions like “permit” and “increaseAllowance.” Functions intended to enhance the token standard’s efficiency have introduced new vulnerabilities.
First introduced back in 2015, ERC-20 tokens are full of gaping security holes, with little chance of a fix any time soon.
“The problem is because of historically bad decisions in ERC-20 and Ethereum designs,” Mikko Ohtamaa, co-founder of algorithmic investment protocol Trading Strategy, tells Magazine.
He says issues related to token design are mainly a problem specific to Ethereum and (to a lesser extent) Solana.
“The issue has been fixed on other chains like MultiversX, Radix, Cosmos-based ones, and so on,” Ohtamaa says.
But the immutable nature of smart contracts complicates efforts to rectify ERC-20’s flaws.
Ethereum is the leading network for phishing scams. (Scam Sniffer)
Phishing attacks: Uniswap’s Permit2
Uniswap’s “Permit2” — a smart contract launched in 2022 — aims to improve transactions by allowing users to grant batch token approvals to DApps. This eliminates the need for separate approvals for each transaction, saving gas fees in the process.
Permit2 is similar to its predecessor, “permit” from Ethereum Improvement Proposal-2612, which introduced off-chain token approvals. As these are not on-chain, signing these messages doesn’t incur gas fees.
EIP-2612 is an ERC-20 extension, meaning that it’s an optional feature. But most ERC-20 tokens circulating in the market don’t have this add-on, meaning users can’t always reap the benefits when interacting with DApps.
And that’s where Uniswap’s Permit2 comes in. This…
..
