A Beginner's Guide to Auditing an ERC20 Contract

Written by uvvirus | Published 2022/12/15
Tech Story Tags: erc20 | ethereum-blockchain | tokens | ethereum | tokenization | smart-contracts | smart-contracts-solidity | audit

TLDRThings to check when auditing the ERC20 contract: When transferring tokens from one account to another, check whether the values are being updated correctly. Similarly, when transferring ETH, check whether the state changes are happening before the transfer. For example, the balance should be reduced from the sender’s account before transferring it to the receiver. This will stop attacks like reentrancy. Check all the external calls. Because external functions are the ones that can be called by anyone. If it has any bug then the attacker will drain the balance in the contract. If the contract is having multiple user roles, then check all the roles, and check whether the access controls are applied properly. Check whether the parent contracts (ERC20, Ownable) are standard contracts (e.g. written by OpenZeppelin) or are they custom-written contracts by the dev. via the TL;DR App

In the world of blockchain, tokens are considered assets. These assets have to be secured safely. It is the auditor’s responsibility to test a smart contract for vulnerabilities after the developers have created it. Tokens are created using smart contracts that, in turn, use the ERC 20 standard.

So, how do you audit ERC 20 contracts?

Follow the instructions below in this article. But before that, let’s define ERC20.

What is ERC20?

ERC20(Ethereum Request for Comment) is the standard for fungible tokens created using the Ethereum blockchain. A fungible token is one that is interchangeable with another token — where the well-known non-fungible tokens (NFTs) are not interchangeable.

Functionalities of ERC20 standard:

If some of the below functionalities are implemented in the contract then we can say that the contract is using the ERC20 standard.

  • transfer tokens from one account to another
  • get the current token balance of an account
  • get the total supply of the token available on the network
  • approve whether an amount of tokens from an account can be spent by a third-party account.

Things to check when auditing the ERC20 contract:

  1. When transferring tokens from one account to another, check whether the values are being updated correctly.

  2. Similarly, when transferring ETH, check whether the state changes are happening before the transfer. For example, the balance should be reduced from the sender’s account before transferring it to the receiver. This will stop attacks like reentrancy.

  3. Check all the external calls. Because external functions are the ones that can be called by anyone. If it has any bug then the attacker will drain the balance in the contract.

  4. If the contract is having multiple user roles, then check all the roles, and check whether the access controls are applied properly.

  5. Check whether the parent contracts (ERC20, Ownable) are standard contracts (e.g. written by OpenZeppelin) or are they custom-written contracts by the dev.

Gas optimization issues:

During the auditing phase, Auditors will also look for gas optimization issues. It will reduce the cost for the client. Gas optimization can be done for all the contracts, not only for the ERC20 contracts.

  1. Check all the functions declared are used in the contract(unused functions).
  2. Check for multiple functions with the same functionality, sometimes developers write their own logic.
  3. Writing to blockchain storage is costly. So search for the “storage” keyword and analyze whether it should be written to the blockchain or not. The recommendation could be the usage of the “memory” keyword.

After finding all the issues it is important to verify them once again.

Also published here.

Written by uvvirus | I am a security engineer who writes articles related to security, mostly web3 security.
Published by HackerNoon on 2022/12/15
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy