Research Summary: Rectifying Administrated ERC20 Tokens

TLDR

• The research examines the ERC20 token class and reveals that these contracts are more owner-controlled and less secure than the services they are aiming to disrupt, such as banks and centralized online payment systems.
• They develop a binary classifier for detecting administrated ERC20 tokens and do a significant data analysis, revealing that about 9 out of 10 ERC20 tokens on Ethereum are administrated, making them risky to interact with even if their owners are trusted.
• The authors designed and implemented SafelyAdministrated - a Solidity abstract class that protects users of administrated ERC20 tokens against adversarial assaults and frivolous token owner behavior.

Core Research Question

How many unique administrated ERC20 tokens are deployed on Ethereum?

Citation

Nikolay Ivanov, Hanqing Guo, and Qiben Yan. “Rectifying Administrated ERC20 Tokens.” arXiv:2107.10979v1 [cs.CR]17 Jul 2021. [2107.10979v1] Rectifying Administrated ERC20 Tokens

Background

• Smart Contracts and EVM: A smart contract is a program that is deployed on a blockchain and executed by the virtual machine of the blockchain. It is made up of a collection of functions that may be accessed via blockchain transactions. The majority of smart contracts are written in a high-level special-purpose programming language, such as Solidity or Vyper, then compiled into byte-code for deployment and execution on a blockchain virtual machine.
• Externally Owned Account: There are two types of accounts on the Ethereum blockchain: smart contract accounts and externally owned accounts (EOA). The public addresses of both EOAs and smart contract accounts are 160 bits in length. Through signed transactions, EOAs can be utilized to call the operations of smart contracts.
• Solidity: Solidity is the most common programming language for developing EVM smart contracts, with syntax akin to JavaScript and C++. Before deploying a smart contract written in Solidity, the source code must be compiled into bytecode. Solidity is the programming language used to create all of the smart contracts examined in this study.
• ERC20 Tokens: The most widely used standard for implementing fungible tokens in Ethereum smart contracts is ERC20. Alternative cryptocurrencies (altcoins) such as ChainLink and BinanceCoin are ERC20-compatible smart contracts published on the Ethereum Mainnet. The ERC20 standard defines an interface with six required functions, two required events, and three optional characteristics that a smart contract must implement in order to become an ERC20 token and communicate with ERC20-compliant clients.
• OpenZeppelin Contracts: A library of smart contracts that have been rigorously vetted for compliance with best security principles. These smart contracts are regarded as de facto standardized implementations of popular smart contract code patterns. The OpenZeppelin project provides a robust code foundation for ERC20 token creators. The majority of ERC20 tokens, as well as the administrated patterns in these tokens, are built by inheriting procedures from the OpenZeppelin Contracts library.

Summary

• Hundreds of billions of dollars’ worth of assets are managed by millions of Ethereum smart contracts.
• The most common form of smart contract in Ethereum is the ERC20 fungible token, which is sometimes compared to a decentralized bank account.
• Externally owned accounts (EOAs) and smart contracts are the two types of accounts in Ethereum. An EOA has a private key and can deploy smart contracts, but it cannot execute custom code. A smart contract, on the other hand, may execute custom code but does not have a private key to identify its owner.
• The contract’s deploying EOA does not automatically own the smart contract unless the contract developer specifically implements this capability.
• The developer must manually implement functionality relating to ownership, role-based access, or other special permissions; otherwise, the contract will become orphaned when it is deployed.
• According to a recent investigation, at least 2.1 million Ethereum smart contracts, out of a total of 5.8 million, employ the onlyOwner modifier from the OpenZeppelin Contracts library, which permits just a certain user to call the smart contract’s functionalities.
• All smart contracts were divided into two categories: administrated contracts and effectively ungoverned smart contracts, with the emphasis on the fact that not all contracts with an owner are necessarily administrated, as ownership can be purely symbolic or only allow harmless operations in some cases.
• Non-administrated smart contracts are also known as essentially ungoverned smart contracts, a category that includes ownable non-administrated contracts, many of which are ERC20 tokens.
• In this paper, the focus is on administrated ERC20 tokens, with the purpose of introducing a novel subset of these tokens - securely administrated ERC20 tokens.

Method

• The study employs a pattern recognition algorithm to search for administrated ERC20 tokens on the Ethereum Mainnet network, beginning by preprocessing all input samples by removing comments and extracting source codes from multi-part JSON files.
• A total of 385 samples were selected at random from 84,062 distinct source code files and manually assigned (labeled) into two categories:
  • administered ERC20 tokens and
  • others.

• Then, using the K-fold method (with k = 5) the 385 labeled samples and the related feature vectors were tested to evaluate the performance of 9 distinct classifiers.
• The Support Vector Classier (SVC) classifier was used to train the feature vectors corresponding to the complete data set with the 385 labeled examples. Because of the identical and independently distributed (i.i.d) assumption, the trained SVC model can classify all of the samples.

Results

• The result reveals that 54,626 smart contracts were identified as ERC20 tokens out of 84,062 analyzed smart contracts, representing approximately 64.6%.
• There are 39,034 contracts categorized as administrated ERC20 tokens, representing approximately 57.96% of all smart contracts analyzed and 89.76% of all ERC20 tokens.
• Consequently, except for the Gaussian Naive Bayes classifier which is slightly above 61%, 8 out of 9 classifiers operate within the 95% … 97% accuracy range.

• The research also reveals that about 10% of all ERC20 tokens are non-administrated, meaning that they have full decentralization and permissionless design, whereas a greater percentage are tightly managed by their owners and other privileged users thereby overriding the hosting blockchain’s decentralized capacity.

Discussion and Key Takeaways

• Administrated ERC20 tokens are generally unsafe since they are poorly controlled and may be exploited by their owner or stolen by an attacker.
• ERC20 fungible tokens have been a beacon of hope for the tokenized economy of the future. However, according to this research, almost 9 out of 10 ERC20 tokens are administrated assets that are typically less secure than traditional financial institutions and accounts.
• The ERC20-managed patterns can be utilized by token owners without endangering the contract’s security or needing user confidence. To accomplish this, the present primitive administrated routines may be re-implemented using three novel concepts: deferred maintenance, board of trustees, and safe pausing.

Implications and Follow-ups

• The main source of concern regarding smart contracts’ safety is security vulnerabilities in them. However, automated tools for detecting known smart contract vulnerabilities have been proposed by researchers.
• It is expedient to note that a novel aspect of semi-rational human behavior leads to the misconception that most smart contracts are decentralized, permissionless, and ungoverned simply because they are placed on a blockchain with these properties.
• The ERC20-managed patterns can be utilized by token owners without endangering the contract’s security or needing user confidence.
• The primitive administrated routines of ERC20-managed patterns may be re-implemented using three novel concepts: deferred maintenance, board of trustees, and safe pausing.

Applicability

• This work applies to anyone developing smart contracts who seek to protect users from the frivolousness of unregulated token owners without depriving the functionalities.
• The implementation of this protocol for the ownership mechanism for the ERC20 token will successfully preclude a single point of security failure and requires prior notice of maintenance as well as for honest token owners to achieve their goals in a way that is safe for them and the users.

@Jmax Thank you for the wonderful summary. It was a truly enjoyable light read.

I have an naive question. You mentioned that decentralized, non-administrated smart contracts are safer than their administrated counter parts. Why are non-administrated smart contracts exempt from those risks?

Thanks for the kind words, and I’m glad you enjoyed the summary. To respond to your query, it seems like an oxymoron given the way it was presented in the research paper.

The implication of this is based mainly on the implementation of the ERC20 tokens. What this means is that an administrated ERC20 token is not just distinct from a typical centralized asset management system like banks, which is subject to single-point exploit by either the owners or attackers. However, non-administrated are fully decentralized and permissionless by design. Consequently, the safety referred to has to do with the control of the assets, whether permissioned or permissionless.

Meanwhile, the purpose of the research was to implement a SafelyAdministrated class that protects users of administrated ERC20 tokens against adversaries.

A non-administered smart contract is exempt from the risk of the contract being changed or deleted by a third party because it is not stored on a server. Instead, the code is stored on the blockchain and cannot be manipulated by anyone.

Similarly, the agreement is enforced by the same set of codes and therefore exempt from those risks because they do not require a central administrator to verify that their terms are being met.

This is high risk as a human is not regulating them, we do not know the requirements and protection that traditional contracts do have. In this instance, the decentralized governance of a token is different from a centralized asset management system like banks. With banks, the owners of the bank, or attackers, can manipulate the system in such a way to steal assets.

ERC20 token, there is no single point of control. What this means is that there is no one person in control of your assets, and no one person or group can steal or manipulate the system in such a way as to steal your assets.
It’s no surprise that the recent crypto-craze has caused a lot of speculation about the best ways to store digital assets.

A lot of us have been spoiled by the ease that centralized institutions have given us in the past, and now it’s a little tougher to get used to the idea that we have to take care of our own assets. At the same time, it’s worth thinking about the ways that centralized institutions have deceitful operations.

Imagine that you have a nice little nest egg of $1,000. You decide to put it in the bank to earn some interest. After five years of doing this, you come back and there’s only $500 left, it all disappears after paying bank fees and the little interest earned is not worth continuing these practices.

Many have been eager to invest in the cryptocurrency space. However, the safety of their investment largely depends on how they store their cryptocurrency.

Ether and other Ethereum tokens are called ERC20 tokens because they are created using the Ethereum Request for Comments system. This is a system that helps developers to create new proposals for Ethereum. The ERC20 system was originally created by Fabian Vogelsteller.
The system is open-source, which means that anyone can use it. Ethereum tokens are actually a type of program that runs on top of the Ethereum network.

When an Ethereum token is created, it is distributed to the people who funded the project. This is how new Ethereum tokens are created. The system was initially created to allow anyone to create a new token. It quickly became the standard for developing new Ethereum tokens that are being created today. Now let’s remember that the system has some significant limitations. Here is an example, the gas required to create a token is a significant amount, meaning that whoever is creating new ERC20s can only do so if they have a significant amount of ether available and therefore a posed problem for any potential project that was not as well funded as other projects.

Consistently, the Ethereum platform has been widely adopted as the go-to platform for token creation. The platform’s flexibility and popularity have made it the number one choice for developers and token creators looking to create their own Ethereum-based token.

With the Ethereum platform, anyone can create their own token, but with that freedom comes the responsibility of knowing how to create a token that is compatible with the Ethereum ecosystem. There are many tools available for creating a new token and the best one for you will depend on your needs and the features that you need.

@Jmax your article is well constructed and I commend your work, I hope this finds you well

The Ethereum Chain has a large following and may be customized.

According to etherscan, there are more than 450,000 smart contracts using the ERC20 standard active on the Ethereum network.

This standard contributes to the creation of tokens in a way that increases their decentralization. Even after the contract has been deployed, it stops the contract creation from calling certain functions that will enable them to steal peoples’ money.

I believe further research is necessary into the remaining distributed tokens if there are only roughly 450,000 contracts deployed in accordance with the ERC20 standard.

Thanks @Humphery for the feedback. It is expected that this space will continue to evolve as you noted and obviously more research will lead to an increased area of applications using the standard.

ERC-20 token is a standard used for creating and issuing smart contracts o the ethereum blockchain. Smart contract can then be used to create smart property of tokenized asset that people can invest in. There are more than 65,000 ERC-20 that has been launched on the ethereum network. Among the most popular are EOS, Tron, Binance coin, ICON, Kucoin, OmiseGo, and SingularDTV. ERC-20 stands for Ethereum Request for Comment, it was proposed by Fabin Vogelsteller in 2015 as a way to standardize the tokens with smart contract on the ethereum blockchain. Volgelstellar submitted the proposal via the project Github page as an Ethereum Request for Comment. It was the twentieth comment, hence it name ERC-20.

Unfortunately, ECR-20 token standard lacks transaction handling mechanism. According to Dexaran, a blockchain developer, the key problem is with smart contracts. A transaction is considered completed when the funds are successfully transferred. If an error occurs, the transfer should be rejected. When transferring ETH, this is exactly what happens: if tokens is sent to a contract that is not compatible with this cryptocurrency, the transaction will be rejected by the smart contract on the part of the recipient and the transfer of funds will not occur. However, in the case of tokens ERC-20 standard, everything happens differently: a smart contract that does not support this standard, does not reject the transaction, as a result of which the tokens are frozen and lost.

This is due to the fact that to transfer ERC20 tokens one of the two functions has to be activated. The first one is the transfer function, which allows you to send tokens to a specific address. The second is used to deposit tokens into a smart contract, which requires a combination of functions approve + transferFrom. Thanks to the approve function, the user allows a smart contract to withdraw his own funds, which is done with the transferFrom function.

But what if by mistake the user makes a deposit into a smart contract using the first transfer function? The transaction will be considered successful and the network will recognize it, but the smart contract itself will not see this transaction and therefore will not credit it. For example, if you send tokens to a decentralized exchange contract in this way, the contract will receive these funds, but they will not appear on the balance. Moreover, if such contract cannot implement the function of emergency token withdrawal, in this case it will be impossible to return the sent funds. It is because of this bug Ethereum ecosystem has already lost millions of dollars. Note that in investing your coins , you have to be careful and make sure it is secured.

thanks for this nice summary it is really educative, I learnt that ERC-20 allows different smart-contract enabled tokens a way to be exchanged. Tokens, in this regard, are a representation of an asset, ownership, access, cryptocurrency, or anything else that is not unique in and of itself but can be transferred. The standard allows tokens representing one of these factors—along with smart contracts—to be exchanged for a token that represents another. Smart contracts are conditions written into the coding that execute different aspects of a transaction between parties.