Research Summary: Rectifying Administrated ERC20 Tokens

TLDR

  • The research examines the ERC20 token class and reveals that these contracts are more owner-controlled and less secure than the services they are aiming to disrupt, such as banks and centralized online payment systems.
  • They develop a binary classifier for detecting administrated ERC20 tokens and do a significant data analysis, revealing that about 9 out of 10 ERC20 tokens on Ethereum are administrated, making them risky to interact with even if their owners are trusted.
  • The authors designed and implemented SafelyAdministrated - a Solidity abstract class that protects users of administrated ERC20 tokens against adversarial assaults and frivolous token owner behavior.

Core Research Question

How many unique administrated ERC20 tokens are deployed on Ethereum?

Citation

Nikolay Ivanov, Hanqing Guo, and Qiben Yan. “Rectifying Administrated ERC20 Tokens.” arXiv:2107.10979v1 [cs.CR]17 Jul 2021. [2107.10979v1] Rectifying Administrated ERC20 Tokens

Background

  • Smart Contracts and EVM: A smart contract is a program that is deployed on a blockchain and executed by the virtual machine of the blockchain. It is made up of a collection of functions that may be accessed via blockchain transactions. The majority of smart contracts are written in a high-level special-purpose programming language, such as Solidity or Vyper, then compiled into byte-code for deployment and execution on a blockchain virtual machine.
  • Externally Owned Account: There are two types of accounts on the Ethereum blockchain: smart contract accounts and externally owned accounts (EOA). The public addresses of both EOAs and smart contract accounts are 160 bits in length. Through signed transactions, EOAs can be utilized to call the operations of smart contracts.
  • Solidity: Solidity is the most common programming language for developing EVM smart contracts, with syntax akin to JavaScript and C++. Before deploying a smart contract written in Solidity, the source code must be compiled into bytecode. Solidity is the programming language used to create all of the smart contracts examined in this study.
  • ERC20 Tokens: The most widely used standard for implementing fungible tokens in Ethereum smart contracts is ERC20. Alternative cryptocurrencies (altcoins) such as ChainLink and BinanceCoin are ERC20-compatible smart contracts published on the Ethereum Mainnet. The ERC20 standard defines an interface with six required functions, two required events, and three optional characteristics that a smart contract must implement in order to become an ERC20 token and communicate with ERC20-compliant clients.
  • OpenZeppelin Contracts: A library of smart contracts that have been rigorously vetted for compliance with best security principles. These smart contracts are regarded as de facto standardized implementations of popular smart contract code patterns. The OpenZeppelin project provides a robust code foundation for ERC20 token creators. The majority of ERC20 tokens, as well as the administrated patterns in these tokens, are built by inheriting procedures from the OpenZeppelin Contracts library.

Summary

  • Hundreds of billions of dollars’ worth of assets are managed by millions of Ethereum smart contracts.
  • The most common form of smart contract in Ethereum is the ERC20 fungible token, which is sometimes compared to a decentralized bank account.
  • Externally owned accounts (EOAs) and smart contracts are the two types of accounts in Ethereum. An EOA has a private key and can deploy smart contracts, but it cannot execute custom code. A smart contract, on the other hand, may execute custom code but does not have a private key to identify its owner.
  • The contract’s deploying EOA does not automatically own the smart contract unless the contract developer specifically implements this capability.
  • The developer must manually implement functionality relating to ownership, role-based access, or other special permissions; otherwise, the contract will become orphaned when it is deployed.
  • According to a recent investigation, at least 2.1 million Ethereum smart contracts, out of a total of 5.8 million, employ the onlyOwner modifier from the OpenZeppelin Contracts library, which permits just a certain user to call the smart contract’s functionalities.
  • All smart contracts were divided into two categories: administrated contracts and effectively ungoverned smart contracts, with the emphasis on the fact that not all contracts with an owner are necessarily administrated, as ownership can be purely symbolic or only allow harmless operations in some cases.
  • Non-administrated smart contracts are also known as essentially ungoverned smart contracts, a category that includes ownable non-administrated contracts, many of which are ERC20 tokens.
  • In this paper, the focus is on administrated ERC20 tokens, with the purpose of introducing a novel subset of these tokens - securely administrated ERC20 tokens.

Method

  • The study employs a pattern recognition algorithm to search for administrated ERC20 tokens on the Ethereum Mainnet network, beginning by preprocessing all input samples by removing comments and extracting source codes from multi-part JSON files.
  • A total of 385 samples were selected at random from 84,062 distinct source code files and manually assigned (labeled) into two categories:
    • administered ERC20 tokens and
    • others.

  • Then, using the K-fold method (with k = 5) the 385 labeled samples and the related feature vectors were tested to evaluate the performance of 9 distinct classifiers.
  • The Support Vector Classier (SVC) classifier was used to train the feature vectors corresponding to the complete data set with the 385 labeled examples. Because of the identical and independently distributed (i.i.d) assumption, the trained SVC model can classify all of the samples.

Results

  • The result reveals that 54,626 smart contracts were identified as ERC20 tokens out of 84,062 analyzed smart contracts, representing approximately 64.6%.
  • There are 39,034 contracts categorized as administrated ERC20 tokens, representing approximately 57.96% of all smart contracts analyzed and 89.76% of all ERC20 tokens.
  • Consequently, except for the Gaussian Naive Bayes classifier which is slightly above 61%, 8 out of 9 classifiers operate within the 95% … 97% accuracy range.

  • The research also reveals that about 10% of all ERC20 tokens are non-administrated, meaning that they have full decentralization and permissionless design, whereas a greater percentage are tightly managed by their owners and other privileged users thereby overriding the hosting blockchain’s decentralized capacity.

Discussion and Key Takeaways

  • Administrated ERC20 tokens are generally unsafe since they are poorly controlled and may be exploited by their owner or stolen by an attacker.
  • ERC20 fungible tokens have been a beacon of hope for the tokenized economy of the future. However, according to this research, almost 9 out of 10 ERC20 tokens are administrated assets that are typically less secure than traditional financial institutions and accounts.
  • The ERC20-managed patterns can be utilized by token owners without endangering the contract’s security or needing user confidence. To accomplish this, the present primitive administrated routines may be re-implemented using three novel concepts: deferred maintenance, board of trustees, and safe pausing.

Implications and Follow-ups

  • The main source of concern regarding smart contracts’ safety is security vulnerabilities in them. However, automated tools for detecting known smart contract vulnerabilities have been proposed by researchers.
  • It is expedient to note that a novel aspect of semi-rational human behavior leads to the misconception that most smart contracts are decentralized, permissionless, and ungoverned simply because they are placed on a blockchain with these properties.
  • The ERC20-managed patterns can be utilized by token owners without endangering the contract’s security or needing user confidence.
  • The primitive administrated routines of ERC20-managed patterns may be re-implemented using three novel concepts: deferred maintenance, board of trustees, and safe pausing.

Applicability

  • This work applies to anyone developing smart contracts who seek to protect users from the frivolousness of unregulated token owners without depriving the functionalities.
  • The implementation of this protocol for the ownership mechanism for the ERC20 token will successfully preclude a single point of security failure and requires prior notice of maintenance as well as for honest token owners to achieve their goals in a way that is safe for them and the users.
4 Likes

@Jmax Thank you for the wonderful summary. It was a truly enjoyable light read.

I have an naive question. You mentioned that decentralized, non-administrated smart contracts are safer than their administrated counter parts. Why are non-administrated smart contracts exempt from those risks?

1 Like

Thanks for the kind words, and I’m glad you enjoyed the summary. To respond to your query, it seems like an oxymoron given the way it was presented in the research paper.

The implication of this is based mainly on the implementation of the ERC20 tokens. What this means is that an administrated ERC20 token is not just distinct from a typical centralized asset management system like banks, which is subject to single-point exploit by either the owners or attackers. However, non-administrated are fully decentralized and permissionless by design. Consequently, the safety referred to has to do with the control of the assets, whether permissioned or permissionless.

Meanwhile, the purpose of the research was to implement a SafelyAdministrated class that protects users of administrated ERC20 tokens against adversaries.

1 Like