Penny Wise and Pound Foolish: Quantifying the Risk of Unlimited Approval of ERC20 Tokens on Ethereum

07/05/2022
by   Dabao Wang, et al.
0

The prosperity of decentralized finance motivates many investors to profit via trading their crypto assets on decentralized applications (DApps for short) of the Ethereum ecosystem. Apart from Ether (the native cryptocurrency of Ethereum), many ERC20 (a widely used token standard on Ethereum) tokens obtain vast market value in the ecosystem. Specifically, the approval mechanism is used to delegate the privilege of spending users' tokens to DApps. By doing so, the DApps can transfer these tokens to arbitrary receivers on behalf of the users. To increase the usability, unlimited approval is commonly adopted by DApps to reduce the required interaction between them and their users. However, as shown in existing security incidents, this mechanism can be abused to steal users' tokens. In this paper, we present the first systematic study to quantify the risk of unlimited approval of ERC20 tokens on Ethereum. Specifically, by evaluating existing transactions up to 31st July 2021, we find that unlimited approval is prevalent (60 risk of their approved tokens for stealing. After that, we investigate the security issues that are involved in interacting with the UIs of 22 representative DApps and 9 famous wallets to prepare the approval transactions. The result reveals the worrisome fact that all DApps request unlimited approval from the front-end users and only 10 information for the approval mechanism. Meanwhile, only 16 users to modify their approval amounts. Finally, we take a further step to characterize the user behavior into five modes and formalize the good practice, i.e., on-demand approval and timely spending, towards securely spending approved tokens. However, the evaluation result suggests that only 0.2 users follow the good practice to mitigate the risk.

READ FULL TEXT
research
06/16/2022

Token Spammers, Rug Pulls, and SniperBots: An Analysis of the Ecosystem of Tokens in Ethereum and the Binance Smart Chain (BNB)

In this work, we perform a longitudinal analysis of the BNB Smart Chain ...
research
09/01/2021

Demystifying Scam Tokens on Uniswap Decentralized Exchange

The prosperity of the cryptocurrency ecosystem drives the needs for digi...
research
07/01/2019

Resolving the Multiple Withdrawal Attack on ERC20 Tokens

Custom tokens are an integral component of decentralized applications (d...
research
01/05/2023

Bubble or Not: Measurements, Analyses, and Findings on the Ethereum ERC721 and ERC1155 Non-fungible Token Ecosystem

The non-fungible token (NFT) is an emergent type of cryptocurrency that ...
research
11/05/2020

Tracking Counterfeit Cryptocurrency End-to-end

The production of counterfeit money has a long history. It refers to the...
research
10/23/2020

Towards understanding flash loan and its applications in defi ecosystem

Flash Loan, as an emerging service in the decentralized finance ecosyste...
research
10/21/2022

Rogue Protocol: A Framework For NFT Royalties Tokenisation

The crypto ecosystem has evolved into a formidable channel for raising v...

Please sign up or login with your details

Forgot password? Click here to reset