Speakers at Devcon 7 Continue to Ignore Old ERC-20 Issues

Sunny Thailand

The Devcon 7: Southeast Asia conference has concluded. Streams of developers, entrepreneurs, crypto enthusiasts, and journalists left Thailand with new impressions, knowledge, and connections.

News outlets are publishing pieces about promising developments and trends, while various CEOs praise new projects and predict accelerated cryptocurrency adoption.

A Spoonful of Tar in a Barrel of Honey

While others talk about how wonderful everything was and how gentle the sun is in Thailand, let’s look at the issues left behind the scenes of decentralization discussions.

The Devcon 7 conference was attended by the team behind the DeFi protocol DEX223. Their focus is the development and promotion of the ERC-223 standard, which aims to address vulnerabilities in ERC-20. Naturally, wherever they appeared, the topic of ERC-20 vulnerabilities and the ecosystem's broader issues was raised. Yet, for seven years, the problem of mishandling ERC-20 token transfers to incompatible contracts has been ignored and hushed up. Unfortunately, Devcon 7 was no exception.

The session “Smart Accounts Need Smart Sessions” seemed like an ideal setting to discuss how smart contracts aren’t always that “smart” and fail to recognize incoming tokens. However, the speakers decided that wasn’t important. In this video, you can see how the issue was repeatedly deleted from the group chat. A fine example of the decentralization often lauded in the crypto space.

During the session “How to Onboard 22 Million Users Overnight Using Non-Conventional Cryptography”, a representative of DEX223 asked Ernesto Garcia from OpenZeppelin why, during their ERC-20 audits, they failed to flag vulnerabilities. Ernesto admitted it’s an issue but suggested contributing to their GitHub repository instead. However, OpenZeppelin refused to mark or modify ERC-20 a few years ago, stating that ERC-20 developers should do so first, and only then would they follow suit. While ERC-20 is now marked as problematic on some official Ethereum resources, OpenZeppelin’s own repositories remain unchanged.

The session “Finding Bugs: 42 Tips from 4 Security Researchers” brought together four security experts to discuss identifying and fixing bugs, as well as preventing them. They envisioned Ethereum as the world’s on-chain economy computer for billions of users, requiring ultra-security to achieve this. It seemed like the perfect opportunity to discuss ERC-20 vulnerabilities, one of the EVM ecosystem's critical building blocks. Yet the speakers appeared unprepared for the topic, with no solid opinions, and attempted to sidestep the question. Eventually, they claimed time had run out and moved on to other questions (1:55:10). The only comment from 0xRajeev was that this isn’t a vulnerability in his view—it’s just about understanding how smart contracts work.

In the session “Top Hacks Since Devcon VI: What Did We Learn?”, speakers acknowledged the issue but argued that it’s up to the dApps interacting with end users to fix it.

It feels like everyone wants to shift responsibility onto someone else. Ultimately, the end user bears the brunt, expected to navigate the system and recognize hidden "quicksands." But imagine someone paying in a store with a bank card—they likely have no idea how the banking system works, nor do they care. They just want to pay. That’s what mass adoption looks like. Why should it be different with cryptocurrency?

All of this takes place against the backdrop of a recent news story where an investor lost $26 million.

Astonishingly, people gather to present the product and seek new investments for their products while refusing to discuss problems or consider how to fix them—despite the existence of solutions like ERC-223, ready for use.

Beyond the Horizon

Sure, it’s great to create new technologies and products based on them. But ignoring fundamental issues is shortsighted. In the end, every new product is built around existing assets that have already infused the ecosystem with value.

Thus, the foundations of EVM network ecosystems are riddled with cracks, allowing winds to blow through and millions to slip out of users’ wallets.

We can endlessly discuss and predict when cryptocurrency will cease to be a speculative asset and become an ordinary part of the everyday financial system. But by ignoring the industry's growing pains, it’s safe to say that this will never happen.