-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERC827 Token Standard (ERC20 Extension) #827
Comments
I really like the fact that it remains fully ERC20 compatible, and does not force receivers of the token to implement a certain function to signal that they accept them. One question though: what is the rationale behind making the external call before the transfer or approval? I would have expected the call to occur afterwards, so the receiver of the tokens can check the transferred/approved balance and act upon it on that same call. And by |
@spalladino In the I think the order of the function call in You are right that if the call fails the I have no problem on changing the order :) |
Oops sorry, I misunderstood the order in |
I agree, im going to change the description in the issue. |
I like this. Where do you envision this standard relative to ERCs 20, 223, and 777? It seems like 827 is a fantastic stopgap that's 20-compatible that should be adopted relatively quickly before the community gets around to ratifying 223 or 777. Thoughts? |
I really like this, thanks a lot! What do you think about overloading |
@shrugs yes I agree, less code is safer and easier to test, and I think this new methods fulfill the needs that the rest of the standards are trying to cover. @facuspagnuolo but if we do that we will change the ERC20 function signatures and it wont be ERC20 compatible anymore, right? I think we cant have functions with the same name and different arguments, or we can? 🤔 |
@AugustoL as far as I know, if we provide an overloaded function changing the amount of parameters, I think it won't change the signature of the ERC20 functions, for example:
am I right? |
@facuspagnuolo I think you are, let me do a quick test! 👀 |
Another quick thing, we might want to distinguish between |
@facuspagnuolo I changed the method names to be the same as ERC20 but with the data argument and the signature is different so there is not issue on having the same name but with the |
I think that allowing the token contract to call any function at any address is much less useful than calling some sort of A big part of this is that It also seems like it could have unintended consequences to allow a token to call any arbitrary data. For example, if tokenA is accidentally transferred to an ERC827 token contract, anyone would be able to claim these tokens by simply calling |
@abandeali1 thanks for the feedback! But I think this is more useful because you dont need to have any specific method in the receiver contract to call it, but if the contract has it you can still use it, so you can call any other contract and make use of the There is way to know who executed the transaction, you can send a signature of the And if there is tokens transfered to this contract they can be claimed by anyone, I dont see any problem there, at least they are not stuck there, which I think is the main problem, having tokens that are not able to being used. |
@AugustoL this is partially true. The major difference is that in ERC223/777, To the second point, this particular case might not be that bad. But this is just a single example of unintended consequences, and I can't confidently say that there aren't other cases out there that would lead to a worse outcome. |
As of yesterday's release of zeppelin, those links in the above post no longer work because the contract code has been migrated into separate directories: |
Thanks @strotter ! fixed :) |
I find one important problem with this standard. The call to the receiver's contract is not authenticated. The receiver's contract cannot tell if the data received comes in fact from the sender or anyone else. I see people will start using it in this way: token.transfer(receiver,amount, abiEncodingOf(received(sender ,amount)) It would be much much useful if the receiver would receive the arguments token, sender and amount right from the token contract, and not from the supposedly sender. The pattern that uses approve/transferFrom can also lead to common mistakes if a honest sender uses token.transferFrom(receiver,amount), and then a malicious user uses token.transfer(receiver,0,simData) just to simulate the previous transferFrom() has a data argument. Also this standard will break any other future standard that tries to fix this problem and try to notify a receiver with authenticated source/amount information. Once you allow the token to emit any message, you cannot authenticate anything later. Still another problem is that you can use the token to send messages to itself. If the token contract is owner of tokens, then you can use this to steal the tokens from the token contract. Very bad standard IMHO. Now that I read the previous comments, I note that ALL that I said has been already said in a previous comment by @abandeali1 |
@SergioDemianLerner Thanks for your feedback! We require that the the If the contract have any other tokens or assets they are open for grabs, I dont see a problem there since the contract in my opinion in only responsible of handling the internal balances. Authentication is something that I think it can be done from the other contract too, without requiring the contract to be called to have a function to receive tokens. How do you see message signing/verification being used in the receiver contract for authentication? If you need to authenticate a user it can send a signature of a hash generated inside the function and verify the real sender there. I use a lot more |
@AugustoL To be clear,
You are talking about a pattern like this?
This would require the receiving contract be aware of the token contract address. It would be nice if the sender and value were passed as arguments so we would not need to do the approval-allowance-transferFrom dance. |
@dadeg Something like that, yes! Keep in mind that you can send the value in the call data and you also can instantiate a ERC20 token using the msg.sender address.
Although I would recommend to have some way to specify the token address in the contract itself, if not it can be called from any ERC827 token. |
Thanks! I am unsure if sending value is a wise idea, considering there is no guarantee that the value mentioned in the As long as the receiving contract knows the address of the token contract, this Edit: To add on to this, There is no risk of a malicious actor calling |
Please correct me if I'm wrong, but doesn't this standard mean that the resulting 827 tokens will not be compatible with most (all?) ERC223 #223 receiver contracts (to the extent they exist)? ERC223 requires that the receiving contract accept tokenFallback from pre-approved sending contract addresses to validate that the second argument 'value' represents a guaranteed transfer to the receiver. In this case, however, the invocation of tokenFallback will be composed by the caller of the transfer(with bytes) function. You can't know that they are not nefarious and crediting themselves with more tokens than they are indeed transferring. This is essentially the same argument that @SergioDemianLerner and @abandeali1 made - and I concur. For the "transfer" function, this is at least useless and quite possibly dangerous. For the "approve", it works because the receiver then has to call transferFrom and can inspect the implementation of transferFrom to ensure they are satisfied with its behavior. What happened to the old "approveAndCall" pattern? OpenZeppelin/openzeppelin-contracts#346 |
@yarrumretep as far as I can tell, the current implementation of microraiden, which is a #223 receiver contract, is susceptible to this attack: But I wonder if this an issue with ERC827, or with #223 receivers (and #777 receivers for that matter). They probably shouldn't trust that tokens have been transferred. Otherwise they need to implement a white/black list to be safe. |
Since when is it a good idea to execute arbitrary calls to contracts? Let alone make that part of a token standard? Just popping in since I heard "microraiden". Basically re-iterating what @abandeali1, @SergioDemianLerner and @yarrumretep mentioned. In the spec you have this function: function transfer(address _to, uint256 _value, bytes _data) returns (bool success) You describe it as:
So essentialy I can do an ERC20 transfer of 1 token to contract |
@LefterisJP i think your example highlights a weakness in the target contract, not in this token standard. |
@dadeg As a 'receiving' contract under this standard as described above all I effectively get is a ping that my balance may change in the future by some unspecified amount. Because the standard does not mandate anything about the contents of the _data (nor could it really control that without a significant on-chain burden), the receiver isn't guaranteed anything in particular about the arguments passed therein and their relation to the 827 token contract's actual anticipated transfer. Receiver can't even keep his old balance and compare to verify because the actual transfer is not completed until after his call. Any contract expecting to receive ERC223 tokens (with some kind of tokenFallback function) would not be able to receive tokens that implemented this function without specific precautions to prevent callers invoking tokenFallback in the _data parameter. tokenFallback value parameter can be trusted with sending contract source inspection. _data cannot be trusted to report the quantity of the transfer. Also, couldn't this pattern of calling out prior to making data changes open this function to reentrancy issues? The approveAndCall variant above, on the other hand, seems more reasonable and useful to me. There is no incentive to 'lie' about the amount being approved in the _data invocation - because the amount is either approved or not in the sending contract. Although it takes more gas than the 223 method, the only trust that must be verified before accepting calls from a sending token is that the tranferFrom function functions as advertised (and the rest of the token behaves in an ERC20 way). This is, in essence, a way to chain 2 calls together (approve and then doSomethingWithThisApproval). Existing ERC20 handlers expecting the approve/doSomething pattern might even be usable directly without modification (if they have a doSomething variant that doesn't depend on msg.sender). |
We have a proposal for changes to fix current issues in the token standard and also add more control over which functions can be executed from the token contract allowing the receiver contracts to have control ownership over it. Proposal SummaryThe receiver contract where the callback function will be executed now needs to allow the execution of that callback itself, if the sender attempt to execute a function that is not allowed on a receiver contract it will fail. The allowedCallbacks mapping works like this: Receiver => Sender => Function Signature => FunctionType => Allowed The The The The The To manage the allowance of the callback the proposal adds two new functions:
Implementation: https://github.com/windingtree/erc827/blob/master/contracts/ERC827/proposals/ERC827TokenMockAllowedCallbacks.sol Merged pull request with description and discussion: windingtree/erc827#2 Thanks @Perseverance for the help and review 👏 |
Second proposal submitted to the windingtree/erc827 repository: windingtree/erc827#4 SummaryThe proposal adds an ERC827Proxy to the token to be used for every method that will execute arbitrary calls, doing this the msg.sender in the receiver contracts will be the ERC827Proxy address and not the ERC827 token, ImplementationThe implementation is done in the contracts/proposals folder on the ERC827TokenWithProxy.sol file. My thoughts: I like a lot this one, it does not give as much control over the arbitrary calls as the AllowedCallbacks but it solves the main issue, making calls in behalf of the token contract. Based on the proxy idea by @k06a |
Implementation of proxy proposal simplified and ready to be merged windingtree/erc827#4 |
@AugustoL would you mind summarizing what the current state of this proposal. from what I can understand:
On a related note, do you know if the vulnerabilities also apply to #677, or does the fact that it defines a specific callback method (tokenFallback) mean it is not affected? |
@ptrwtts |
@ptrwtts calling arbitrary method allows you to send your token to any smart contract in a way it supports. There are some DEXes with different smart contract interfaces. No need for all contract to support special token protocol, just being compatible with ERC20. #677 has a problem with checks, anyone implementing |
TransferAndCall is this function ‘_to’ a contract address or a receiver address? |
@RNHaoHao to the contract address, then you should redistribute the approval from the contract. |
@AugustoL _to represents the address of other contracts. Functions that can be invoked by other contracts? |
"TransferAndCall" I always failed to call ("0xacb6208f4fbc6ac8fb60ad92f7096b4100538f45",100,"0xa9059cbb0000000000000000000000004ffe370c88549717a552f9ed7aac84b12e6bc1680000000000000000000000000000000000000000000000000de0b6b3a7640000") |
PR created to integrate proxy proposal into standard and update to solidity v0.5.0 |
PR created to change proxy handling, instead of using one single proxy a proxy can be created and destroyed for each call without any remaining balance of tokens and ETH left in it. This also allows the verification of the original msg.sender by calculating the address of the proxy in the receiver contract in case if needed. How approveAndCall would work: This is definitely much better than a single proxy since it allows the verification of the original sender if necessary. |
And because the proxy address is not being reused and shared between accounts now! |
@AugustoL what is the status of ERC827, as of your latest proposal to dynamically create and destroy poxies (#827 (comment))? Is ERC827 in use in the real world? I am trying to decide whether to add this interface to a contract, and I'm interested to know if this has been battle-tested, and/or if it has seen any adoption. Also, what does it mean that "This standard... is proven to be unsafe to be used" mean? What part is unsafe, specifically? |
I am going to close this as GitHub is no longer the proper place to discuss ideas for EIPs (it used to be). If the author of this wants to pursue this further, they can either create a thread on Ethereum Magicians to continue discussion, or they can create a draft EIP and start working through the EIP process as described in EIP-1. |
Implementing this token is unsafe as per comments here: ethereum/EIPs#827 (comment)
This standard is still a draft and is proven to be unsafe to be used
Simple Summary
A extension of the standard interface ERC20 for tokens with methods that allows the execution of calls inside transfer and approvals.
Abstract
This standard provides basic functionality to transfer tokens, as well as allow tokens to be approved so they can be spent by another on-chain third party. Also it allows to execute calls on transfers and approvals.
Motivation
This extension of the ERC20 interface allows the token to execute a function in the receiver contract contract after the approval or transfer happens. The function is executed by the token proxy, a simple proxy which goal is to mask the msg.sender to prevent the token contract to execute the function calls itself.
The ERC20 token standard is widely accepted but it only allows the transfer of value, ethereum users are available to transfer value and data on transactions, with these extension of the ERC20 token standard they will be able to do the same with ERC20 tokens.
I saw a lot of new standards being proposed in the community and I think the way to improve the current ERC20 standard is with an extension that is fully compatible with the original standard and also add new methods, but keeping it simple at the same time, the code to be added to the ERC20 standard is near 150 lines of code.
When to use each function
approveAndCall: Probably the one that you will need, maybe the only one since it only allows the receiver contract to use approved balance. The best practice is to check the allowance of the sender and then do your stuff using the transferFromAndCall method.
transferAndCall: There is no way to check that the balance that will be transferred is the correct one, this function is useful when a function dont need to check any transfer of value.
transferFromAndCall: Same as transferAndCall, only useful when there is no need to check the transfered amount of tokens and want to spend approved balance.
Specification
Token
Methods
NOTE: Callers MUST handle
false
fromreturns (bool success)
. Callers MUST NOT assume thatfalse
is never returned!name - ERC20
Returns the name of the token - e.g.
"MyToken"
.OPTIONAL - This method can be used to improve usability,
but interfaces and other contracts MUST NOT expect these values to be present.
symbol - ERC20
Returns the symbol of the token. E.g. "HIX".
OPTIONAL - This method can be used to improve usability,
but interfaces and other contracts MUST NOT expect these values to be present.
decimals - ERC20
Returns the number of decimals the token uses - e.g.
8
, means to divide the token amount by100000000
to get its user representation.OPTIONAL - This method can be used to improve usability,
but interfaces and other contracts MUST NOT expect these values to be present.
totalSupply - ERC20
Returns the total token supply.
balanceOf - ERC20
Returns the account balance of another account with address
_owner
.transfer - ERC20
Transfers
_value
amount of tokens to address_to
, and MUST fire theTransfer
event.The function SHOULD
revert
if the_from
account balance does not have enough tokens to spend.A token contract which creates new tokens SHOULD trigger a Transfer event with the
_from
address set to0x0
when tokens are created.Note Transfers of 0 values MUST be treated as normal transfers and fire the
Transfer
event.transferFrom - ERC20
Transfers
_value
amount of tokens from address_from
to address_to
, and MUST fire theTransfer
event.The
transferFrom
method is used for a withdraw workflow, allowing contracts to transfer tokens on your behalf.This can be used for example to allow a contract to transfer tokens on your behalf and/or to charge fees in sub-currencies.
The function SHOULD
revert
unless the_from
account has deliberately authorized the sender of the message via some mechanism.Note Transfers of 0 values MUST be treated as normal transfers and fire the
Transfer
event.approve - ERC20
Allows
_spender
to withdraw from your account multiple times, up to the_value
amount. If this function is called again it overwrites the current allowance with_value
.Users SHOULD make sure to create user interfaces in such a way that they set the allowance first to
0
before setting it to another value for the same spender.THOUGH The contract itself shouldn't enforce it, to allow backwards compatibility with contracts deployed before
allowance - ERC20
Returns the amount which
_spender
is still allowed to withdraw from_owner
.ERC827 Proxy
A very simple proxy contract used to forward the calls form the token contract.
There is a public variable called proxy in the ERC827 token, this can be used to check if the call is coming from the ERC827 token since the proxy can only forward calls from the token contract.
ERC827 methods
transferAndCall - ERC827
Execute a function on
_to
with the_data
parameter, if the function ends successfully execute the transfer of_value
amount of tokens to address_to
, and MUST fire theTransfer
event.This method is
payable
, which means that ethers can be sent when calling it, but the transfer of ether needs to be handled in the call is executed after transfer since the one who receives the ether is the token contract and not the token receiver.The function SHOULD
revert
if the call to_to
address fails or if_from
account balance does not have enough tokens to spend.The ERC20
transfer
method is called before the_call(_to, _data)
.Note Transfers of 0 values MUST be treated as normal transfers and fire the
Transfer
event.Important Note Do not use this method with fallback functions that receive the value transferred as parameter, there is not way to verify how much value was transferred on the fallback function.
transferFromAndCall - ERC827
Execute a function on
_to
with the_data
parameter, if the function ends successfully execute the transfer of_value
amount of tokens from address_from
to address_to
, and MUST fire theTransfer
event.This method is
payable
, which means that ethers can be sent when calling it, but the transfer of ether needs to be handled in the call is executed after transfer since the one who receives the ether is the token contract and not the token receiver.The
transferFromAndCall
method is used for a withdraw workflow, allowing contracts to transfer tokens on your behalf before executing a function.The ERC20
transferFrom
method is called before the_call(_to, _data)
.This can be used for example to allow a contract to transfer tokens on your behalf and/or to charge fees in sub-currencies.
The function SHOULD
revert
if the call to_to
address fails or if the_from
approved balance by_from
tomsg.sender
is not enough to execute the transfer.Note Transfers of 0 values MUST be treated as normal transfers and fire the
Transfer
event.Important Note Do not use this method with fallback functions that receive the value transferred as parameter, there is not way to verify how much value was transferred on the fallback function.
approveAndCall - ERC827
Execute a function on
_spender
with the_data
parameter, if the function ends successfully allows_spender
to withdraw from your account multiple times, up to the_value
amount. If this function is called again it overwrites the current allowance with_value
.This method is
payable
, which means that ethers can be sent when calling it, but the transfer of ether needs to be handled in the call is executed after transfer since the one who receives the ether is the token contract and not the token receiver.Clients SHOULD make sure to create user interfaces in such a way that they set the allowance first to
0
before setting it to another value for the same spender.The ERC20
approve
method is called before the_call(_spender, _data)
.The function SHOULD
revert
if the call to_spender
address fails.THOUGH The contract itself shouldn't enforce it, to allow backwards compatibility with contracts deployed before
Events
Transfer - ERC20
MUST trigger when tokens are transferred, including zero value transfers.
Approval - ERC20
MUST trigger on any successful call to
approve(address _spender, uint256 _value)
.Past Issues
The main issue that has been recognized by the community is that the standard does not follow the assumption about executing calls in behalf of a token contract, every smart contract that handle token balances assume the token contract will execute only the common methods and maybe a callback that is implemented by the token itself. This standard break that rule and allow the execution of arbitrary calls making it hard to integrate in current solutions.
UPDATE
This was solved by adding a simple proxy to the token and forwarding the calls coming from the token contract, the proxy ensure that the calls come only from the token contract and allows this to be verified on chain, this prevents the token address to be used as
msg.sender
allowing the integration with current solutions.Discussion channel
https://gitter.im/ERC827
Revisions
Implementation
ERC827 Interface in Winding Tree
[ERC827 Standard Token implementation in Winding Tree](https://github.com/windingtree/erc827/blob/master/contracts/ERC827/ERC827.sol
Copyright
Copyright and related rights waived via CC0
The text was updated successfully, but these errors were encountered: