Dexaran

1.2K posts

Dexaran banner
Dexaran

Dexaran

@Dexaran

#Pseudonymous smartcontract developer & security engineer Founder of https://t.co/gggSQaclP3, EthereumCommonwealth & https://t.co/meZKAfcdwG Author of #ERC223

Katılım Ağustos 2016
112 Takip Edilen5.9K Takipçiler
Sabitlenmiş Tweet
Dexaran
Dexaran@Dexaran·
A user @qklpjeth just lost $25,000,000 because of a #ERC20 security flaw that I discovered and reported in 2017. #issuecomment-296711733" target="_blank" rel="nofollow noopener">github.com/ethereum/EIPs/… #ERC20 is an insecure standard. It lack transaction handling which makes error handling impossible. #ethereum @ethereum
English
7
15
65
11.8K
Dexaran
Dexaran@Dexaran·
@Dex_223 @zacodil @OpenZeppelin How good of a security researcher are you if you dont point out that the standard you are working with violates well-known security principles and as the result people are losing money using it?
English
0
1
2
15
Vadim (AI, ⋈)
Vadim (AI, ⋈)@zacodil·
Why "token approval" is the worst idea in DeFi. ERC-20 got the token right and the hard part wrong. it standardized balances and transfers, but never a clean way for a contract to actually use your tokens. a plain transfer to a contract doesn't even tell it anything arrived. so they bolted on a hotfix: approve + transferFrom. Look at what that hotfix forces on you. to let a contract spend your tokens, you either: - approve it once for a huge or infinite amount, and now it can reach into your wallet whenever it wants, forever, until you remember to revoke. you're trusting a contract you probably never read. - OR approve the exact amount right before every action, which means a second transaction and a second gas fee on every single operation. Tust a stranger, or pay a tax on every move. those are the two choices, and the standard offers nothing better. so everyone picks door one and clicks "infinite," and the chain fills with wallets pointing loaded guns at themselves. Not theoretical. the jaredfromsubway MEV bot just lost millions this way. nothing was hacked. it handed out approvals chasing fake trades, and someone used transferFrom to walk the funds out. The worst part: a better design existed the whole time. transfer-and-call (ERC-223, ERC-1363) moves the exact amount and notifies the receiver in one transaction. no standing approval, no extra tx, no stranger holding a key to your account. it lost to ERC-20's head start, and now infinite approvals are load-bearing under all of DeFi. permit, permit2, account abstraction, every "fix" is a patch on a primitive that should never have shipped. We didn't get the safe option. we got the convenient one, and we've been paying for it since
English
3
5
36
8.3K
Dexaran
Dexaran@Dexaran·
@cryptoupdate_io @sukanto018 @base Shooting yourself in the foot with a pistol or crossbow will have equally dire consequences. Repeating the same mistakes using different tools won't change the outcome.
English
0
2
3
27
sukanto
sukanto@sukanto018·
B20 is Base native token standard, the @Base ecosystem own version of ERC20 Just like ERC20 on Ethereum, B20 lets anyone easily create tokens (memecoins, stablecoins, security tokens, etc.) but it’s fully optimized for Base, faster, cheaper, and more native to the chain.
nibel.base.eth@Nibel_eth

What's b20? Anyone knows?

English
5
2
21
1.3K
Dexaran
Dexaran@Dexaran·
@jessepollak @A_Leutenegger This is how $25M were lost because ot these problems: x.com/Dexaran/status… This is a technical description of the problems: medium.com/dex223/erc-20-… This is a script that calculates the amount of losses: dexaran.github.io/erc20-losses
Dexaran@Dexaran

A user @qklpjeth just lost $25,000,000 because of a #ERC20 security flaw that I discovered and reported in 2017. #issuecomment-296711733" target="_blank" rel="nofollow noopener">github.com/ethereum/EIPs/… #ERC20 is an insecure standard. It lack transaction handling which makes error handling impossible. #ethereum @ethereum

English
0
0
0
19
Dexaran
Dexaran@Dexaran·
@jessepollak @A_Leutenegger B20 is insecure as it inherits security flaws of ERC20: - `transfer` lacks transaction handling - approve+transferFrom is redundant since Tangerine Whistle hardfork The first resulted in losses of $100M, the second one allowed scammers to steal billions Your B20 inherits those
English
1
0
1
63
Leuts.eth
Leuts.eth@A_Leutenegger·
How do we escape the ERC-20 standard?
English
31
3
80
13.3K
Dexaran retweetledi
DEX223
DEX223@Dex_223·
@jessepollak @A_Leutenegger B20 inherits security problems of ERC-20 and will lead to a loss of millions of dollars of your customers funds dexaran.github.io/erc20-losses/ ERC-20's lack of transaction handling is a security flaw that damages Ethereum ecosystem for years B20 inherits the same security flaws
English
0
2
4
163
Dexaran
Dexaran@Dexaran·
@A_Leutenegger ERC-20 has unnecessary approves and its `transfer` func isnt handleable. It resulted in $100M loss dexaran.github.io/erc20-losses/ To fix that I proposed ERC-223 in 2017 which works identical to native currency Adoption is the toughest part here
English
1
0
4
130
Dexaran retweetledi
DEX223
DEX223@Dex_223·
1/ Ethereum needs better token standards🚨 ERC-20 standard is poorly designed and outdated but it’s still the MOST adopted one. What are its problems and why is it designed the way it is? 👇
GIF
English
4
5
5
4K
Dexaran
Dexaran@Dexaran·
@VectorBits Victim is not a contract, its just an address. Victim contract is this one: 0xddbb864c2541e27152dbb87037ece852afb1faf5 The core mechanic of the attack was the exploitation of the `approval` of USDT. The root of the issue: approvals are insecure.
English
0
0
0
40
VectorBits
VectorBits@VectorBits·
⚠️⚠️⚠️Alert Notic Attack Tx: etherscan.io/tx/0x54bb31a5a… Victim contract: 0x222E674FB1a7910cCF228f8aECF760508426b482 Attacker: 0x4Fd9669FB676EA2AcE620AFb6178aE300EcFd8a9 Attacker contract: 0xc8540A70Aa191651D7Cf8ED854eA3d346C897b2A Chain: Mainnet Loss: ~ $13k
English
2
0
6
3.2K
Hugo Montenegro
Hugo Montenegro@uwwgo·
ERC-20 is the worst thing that ever happened to Ethereum. I hate it. I have had to built around it for years. Thus, I wrote a hit piece on ERC-20. Here's the TLDR on why the standard is terrible: 1.) You cannot attach information to a transfer This makes programmatically building logic on erc20 payments impossible. That's really dumb. 2.) approve(). Self-explanatory. 3.) ERC-20 and Ether are both "coins", but they are different. This is very very very confusing for normies and makes for horrible UX. Read my full hit piece on the worst standard in Ethereum history here: hugo0.com/blog/how-erc20…
English
41
14
171
40.5K
Dexaran
Dexaran@Dexaran·
@uwwgo It's also straight up insecure. Violates "failsafe defaults" and "error handling" principles of secure software designing. Caused $100M+ losses: dexaran.github.io/erc20-losses/ Reported this to EF in 2017 #issuecomment-296711733" target="_blank" rel="nofollow noopener">github.com/ethereum/EIPs/… but they did nothing to solve it.
English
1
2
7
676
Dexaran retweetledi
rektkid
rektkid@rektkid_·
The TLDR with EOS is that Yves appointed a Chinese anti decentralisation chancer to run Labs, and entered into 50/50 MSIGs over vast sums of network funds. The two are now at loggerheads, and that puts the chain in a pretty dire situation. Just shit leadership all round.
English
3
1
5
851
Dexaran retweetledi
Betoshi_Pt 🇵🇹 🇧🇷
Betoshi_Pt 🇵🇹 🇧🇷@Betoshi_Pt·
📕ERC-223 🔹É um padrão de tokens na Ethereum. 🔹Melhora a segurança face ao ERC-20. 🔹Evita perder tokens enviados a contratos errados. 🔹Valida o destino antes de transferir os tokens.
Betoshi_Pt 🇵🇹 🇧🇷 tweet media
Português
1
2
4
242
Dexaran
Dexaran@Dexaran·
@0xDRick @uttam_singhk Yes, but there is no other way to allow existing ERC-20 tokens to become ERC-223. If we would need to create an upgrading procedure then it will lead to a situation where both standards will co-exist for some time and then a newer one will replace the older one.
English
0
0
0
65
Rick
Rick@0xDRick·
@Dexaran @uttam_singhk What about contracts that already recognize/support existing Erc20? If users wrap their erc20 to erc223 it's gonna be a whole new "token". Existing contracts will treat them differently
English
1
0
1
74
Uttam
Uttam@uttam_singhk·
this is so f*cking scary - a txn made 9 months ago to transfer just $5 ended up causing a $30K loss. TLDR: → a txn was approved 9 months ago → to interact with the ThirdWeb Universal Bridge → Infinite approval was given (just for a $5 transfer) → a vulnerability in the contract was discovered in April → but the contract remained active onchain, including the blog referencing the affected contract address → vulnerability allowed anyone to drain funds from users with infinite approval → the hacker waited 9 months for the user to deposit a substantial amount → And boom - $30K gone in a single txn → funds were sent to Railgun, so can’t be traced → thirdWeb permanently disabled the legacy affected contract after the hack was disclosed → the blog referencing the affected (now-disabled) contract address is still live I don’t even know whom to blame here. It’s honestly a shame that after all these years of building, crypto users still have to deal with stuff like this and this user is literally one of the smartest people in the industry.
Jill Gunter ☕@jillgun

Last night around 5pm I sat down to do some work. I opened my Rabby wallet to try out Espresso's new cross-chain mint product, Presto, that Rarible had just put live on mainnet. When I opened my wallet, I immediately saw that $30k was missing...

English
129
67
719
230.9K
Dexaran
Dexaran@Dexaran·
I've reported ERC-20 design flaws to those who worked on its finalization in 2017: #issuecomment-296711733" target="_blank" rel="nofollow noopener">github.com/ethereum/EIPs/… They ignored it for 8 years, now there are $100M lost because of the lack of transaction handling and billions lost because of approval-related problems: dexaran.github.io/erc20-losses They are silencing the issue, for example at Devcon7 they were just removing questions from live questions pool on record: youtube.com/shorts/KJCs4jC… Someone had to experience this as a wake up call to others << this is the result of Ethereum's censorship of the problem. They know about it since 2017. I personally warned them and they did nothing to protect users.
YouTube video
YouTube
English
0
0
1
28
Suky ⨀
Suky ⨀@sukywin·
@NDIDI_GRAM @jillgun read the article yesterday and mass revoked all approvals on about 5 chains sad that someone had to experience this as a wake up call to others
English
2
0
0
329
HEADBOY 🦇🔊
HEADBOY 🦇🔊@NDIDI_GRAM·
One simple mistake cost @jillgun $30k. Approval hacks and token drains are one of the major flaws in crypto, but the good news is that they can be avoided: 1- Manually Set Approval Limits Or Stop use Dex’s That Sets Infinite Approval: You can manually set the exact amount, you want to swap in your web browser rather than approving an unlimited amount. Look at my screenshot below. @Uniswap wants me to approve “115792089237316195423570985008687907853269984665640564039457584007913129.639935” for a $995 swap. If, by any chance, they get hacked, that’s the amount of money I’m risking losing simply because I used their DEX. Frame 2: @jumperapp doesn’t allow you approve more than you spend, so if you frequently use jumper, you’re free from token approval drains or hack. So either manually set exact token approval or use a Dex that solves the error. 2- Revoke Transactions: One Key takeaway from @jillgun’s story is that the approval was done six months prior to drain, so there was enough time to manually revoke the token approval contracts. There are two ways around this: - @RevokeCash: Toolkit for revoke token approval contracts, so visit and max revoke all esp unlimited contracts. - @Rabby_io: Rabby has an in wallet feature that functions like revoke cash. You should be fine if you follow either of these two steps. Also, like and share if this was helpful. It could save a degen.
HEADBOY 🦇🔊 tweet mediaHEADBOY 🦇🔊 tweet media
Jill Gunter ☕@jillgun

Last night around 5pm I sat down to do some work. I opened my Rabby wallet to try out Espresso's new cross-chain mint product, Presto, that Rarible had just put live on mainnet. When I opened my wallet, I immediately saw that $30k was missing...

English
52
12
196
16.1K
Dexaran
Dexaran@Dexaran·
ERC-20 is insecure by design. owasp.org/Top10/2021/A04… It violates two of the most basic security principles: - Error handling is a must (there is no transaction handling which makes error handling impossible) - Secure defaults I've reported these problems in 2017 #issuecomment-296711733" target="_blank" rel="nofollow noopener">github.com/ethereum/EIPs/… and highlighted that it will result in financial damage to end users. The report was ignored for 8 years and now there are $100,000,000 lost because of the lack of transaction handling and billions lost because of approval-related problems (which are also a consequence of the lack of transaction handling): dexaran.github.io/erc20-losses Now @ethereum is censoring questions about this problems, for example they are blatantly removing questions from live presentation like this: youtube.com/shorts/KJCs4jC… Security researchers who never wrote that ERC-20 violates the most basic principles of secure software design - what are you even doing?
YouTube video
YouTube
English
0
0
1
67
Dexaran
Dexaran@Dexaran·
No, the adoption is not happening because there is no coordination of an ecosystem upgrade. The real problem here is that @VitalikButerin is the author of ERC-20 eips.ethereum.org/EIPS/eip-20 and nobody is allowed to criticize it, also @ethereum is applying immense censorship wherever they can to silence the reports of ERC-20 problems. They are doing THIS instead of coordinating an ecosystem upgrade. - I was denied the opportunity to be a speaker on Devcon in 2024 and on Devconnect 2025 (yeah, they prefer to discuss North Korea hackers rather than real problems that cause $100M damage and can be solved) - Questions regarding ERC-20 problem and financial losses were removed from the live questions pool on record: youtube.com/shorts/KJCs4jC… - My reddit posts are never approved on r/ethereum, spoke to @poojaranjan19 and she told me "its spam protection, not censorship" I was involved in solving many security issues like 51%-attacks ecips.ethereumclassic.org/ECIPs/ecip-1092 in $ETC and the procedure is always the same: 1. Identify the problem 2. Reach an agreement amont participants about which solution should be used 3. Announce it 4. Reach out to mining pools / exchanges / block explorers / node operators - tell them that we need to do X to solve the problem 5. Provide technical assistance during the process I don't believe that @ethereum can coordinate an upgrade from POW to POS but it can't do the same to coordinate an upgrade from ERC-20 to ERC-223. I've developed ERC-7417: Token Converter for this purpose: eips.ethereum.org/EIPS/eip-7417 The idea is to follow the Wrapped Ether approach and create exactly one ERC-223 wrapper for each existing ERC-20 token so that users would be able to start converting their existing tokens to ERC-223 "versions" without any actions required from the token devs side. They can convert it back at any moment if its necessary.
YouTube video
YouTube
Dexaran tweet media
English
0
0
1
52
etcontradictio.base.eth
etcontradictio.base.eth@etcontradictio·
I did a little research on ERC-223 and it sure looks like a game changer. It's always been crazy to me how smart contracts can easily be exploited. ERC-223 will ensure safety of assets during transfers. However, it seems the Immutability of contracts is the major reason adoption is not happening. My question to you @uttam_singhk is; how can this be addressed as painlessly as possible?
Uttam@uttam_singhk

this is so f*cking scary - a txn made 9 months ago to transfer just $5 ended up causing a $30K loss. TLDR: → a txn was approved 9 months ago → to interact with the ThirdWeb Universal Bridge → Infinite approval was given (just for a $5 transfer) → a vulnerability in the contract was discovered in April → but the contract remained active onchain, including the blog referencing the affected contract address → vulnerability allowed anyone to drain funds from users with infinite approval → the hacker waited 9 months for the user to deposit a substantial amount → And boom - $30K gone in a single txn → funds were sent to Railgun, so can’t be traced → thirdWeb permanently disabled the legacy affected contract after the hack was disclosed → the blog referencing the affected (now-disabled) contract address is still live I don’t even know whom to blame here. It’s honestly a shame that after all these years of building, crypto users still have to deal with stuff like this and this user is literally one of the smartest people in the industry.

English
2
0
2
82
Dexaran
Dexaran@Dexaran·
There is ERC-7417: eips.ethereum.org/EIPS/eip-7417 It can "wrap" each existing ERC-20 token -> ERC-223 version 1:1 so users can start using ERC-223 tokens without the consent of the token developers ideally. It doesn't make sense if the user would need to sell these tokens on CEX and the CEX doesn't support ERC-223 deposits however. We're building dex223.io to enable trading for such tokens
English
1
1
4
169
Rick
Rick@0xDRick·
@Dexaran @uttam_singhk Amazing work man. May I ask if it's hard for existing projects that already using ERC20 to switch to your ERC223 ? cuz I think it's not that because they don't notice the threat but it's because the migration have a chance to messed up the whole system
English
1
0
3
176