Resolving the Multiple Withdrawal Attack on ERC20 Tokens

Rahimian, Reza; Eskandari, Shayan; Clark, Jeremy

doi:10.1109/eurospw.2019.00042

Cited by 10 publications

(7 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Then, to verify their true identities, we use sig PK U .PKI/ as the digital signature for the users, and Sign R to represent the ring signature. The three tokens [17] are represented by T v-s , T s-c , and T c-p . Other basic notations are introduced in the following.…”

Section: Basic Notionsmentioning

confidence: 99%

EVchain: An Anonymous Blockchain-Based System for Charging-Connected Electric Vehicles

Chen

2021

Tsinghua Sci. Technol.

View full text Add to dashboard Cite

Purchases of electric vehicles have been increasing in recent years. These vehicles differ from traditional fossil-fuel-based vehicles especially in the time consumed to keep them running. Electric-Vehicle-charging Service Providers (EVSPs) must arrange reasonable charging times for users in advance. Most EVSP services are based on third-party platforms, but reliance on third-party platforms creates a lack of security, leaving users vulnerable to attacks and user-privacy leakages. In this paper, we propose an anonymous blockchain-based system for charging-connected electric vehicles that eliminates third-party platforms through blockchain technology and the establishment of a multi-party security system between electric vehicles and EVSPs. In our proposed system, digital certificates are obtained by completing distributed Public Key Infrastructure (distributed-PKI) identity registration, with the user registration kept separate from the verification process, which eliminates dependence on the EVSP for information security. In the verification process, we adopt smart contracts to solve problems associated with centralized verification and opaque services. Furthermore, we utilize zero-knowledge proof and ring-signature superposition to realize completely anonymous verification, which ensures undeniability and unforgeability with no detriment to anonymity. The evaluation results show that the user anonymity, information authenticity, and system security of our system fulfill the necessary requirements.

show abstract

Section: Basic Notionsmentioning

confidence: 99%

EVchain: An Anonymous Blockchain-Based System for Charging-Connected Electric Vehicles

Chen

2021

Tsinghua Sci. Technol.

View full text Add to dashboard Cite

show abstract

“…Using these functions in an undesirable situation (i.e., front-running or racecondition) can result in allowing a malicious authorized entity to transfer more tokens than the owner wanted. There are several suggestions to extend ERC-20 standard (e.g., MonolithDAO [74] and its extension in OpenZeppelin [46]) by adding new functions (i.e., decreaseApproval() and increaseApproval()), however, securing transferFrom() method is the effective one while adhering specifications of the ERC-20 standard [55].…”

Section: Multiple Withdrawalmentioning

confidence: 99%

“…Without our counter-measure, an attacker can use a front-running attack [10,19] to transfer more tokens than what is intended (approved) by the token holder. We secure the transferFrom() function by tracking transferred tokens to mitigate the multiple withdrawal attack [55]. Securing the transferFrom() function is fully compliant with the ERC-20 standard without the need of introducing new functions such as decreaseApproval() and increaseApproval().…”

Section: Multiple Withdrawal Attackmentioning

confidence: 99%

“…However these are not part of the ERC-20 standard and are not interoperable with other applications that expect to use approve() and transferFrom(). To-kenHook secures transferFrom() to prevent the attack (following [55]) and is interoperable with legacy DApps and web apps. Additionally, TokenHook mitigates the frozen Ether issue by introducing a withdraw() function, while ETH forced into the OpenZeppelin implementation is forever unrecoverable.…”

Section: Need For Another Reference Implementationmentioning

confidence: 99%

See 1 more Smart Citation

TokenHook: Secure ERC-20 smart contract

Rahimian,

Clark

2021

Preprint

Self Cite

View full text Add to dashboard Cite

ERC-20 is the most prominent Ethereum standard for fungible tokens. Tokens implementing the ERC-20 interface can interoperate with a large number of already deployed internet-based services and Ethereum-based smart contracts. In recent years, security vulnerabilities in ERC-20 have received special attention due to their widespread use and increased value. We systemize these vulnerabilities and their applicability to ERC-20 tokens, which has not been done before. Next, we use our domain expertise to provide a new implementation of the ERC-20 interface that is freely available in Vyper and Solidity, and has enhanced security properties and stronger compliance with best practices compared to the sole surviving reference implementation (from OpenZeppelin) in the ERC-20 specification. Finally, we use our implementation to study the effectiveness of seven static analysis tools, designed for general smart contracts, for identifying ERC-20 specific vulnerabilities. We find large inconsistencies across the tools and a high number of false positives which shows there is room for further improvement of these tools.

show abstract

“…Friedhelm Victor et al [66] provided an overview of more than 64,000 ERC20 token networks and analyzed the top 1,000 from a graph perspective. Besides, there are some studies dedicated to optimizing the ERC-20 token standard [51,58] or using ERC-20 token contract to address practical issues [36,48]. For example, Mayer et al [51] proposed a proxy scaling solution for ERC-20 tokens named BatPay, which is suitable for micropayments in one-to-many and few-to-many scenarios and can reduce gas cost of transactions.…”

Section: Erc-20 Tokensmentioning

confidence: 99%

Tracking Counterfeit Cryptocurrency End-to-end

GaoBingyu

WangHaoyu

XiaPengcheng

et al. 2020

Proc. ACM Meas. Anal. Comput. Syst.

View full text Add to dashboard Cite

The production of counterfeit money has a long history. It refers to the creation of imitation currency that is produced without the legal sanction of government. With the growth of the cryptocurrency ecosystem, there is expanding evidence that counterfeit cryptocurrency has also appeared. In this paper, we empirically explore the presence of counterfeit cryptocurrencies on Ethereum and measure their impact. By analyzing over 190K ERC-20 tokens (or cryptocurrencies) on Ethereum, we have identified 2, 117 counterfeit tokens that target 94 of the 100 most popular cryptocurrencies. We perform an end-to-end characterization of the counterfeit token ecosystem, including their popularity, creators and holders, fraudulent behaviors and advertising channels. Through this, we have identified two types of scams related to counterfeit tokens and devised techniques to identify such scams. We observe that over 7,104 victims were deceived in these scams, and the overall financial loss sums to a minimum of $ 17 million (74,271.7 ETH). Our findings demonstrate the urgency to identify counterfeit cryptocurrencies and mitigate this threat. CCS Concepts: • Security and privacy → Intrusion/anomaly detection and malware mitigation; Web application security; • Information systems → Web mining.

show abstract

Resolving the Multiple Withdrawal Attack on ERC20 Tokens

Cited by 10 publications

References 6 publications

EVchain: An Anonymous Blockchain-Based System for Charging-Connected Electric Vehicles

EVchain: An Anonymous Blockchain-Based System for Charging-Connected Electric Vehicles

TokenHook: Secure ERC-20 smart contract

Tracking Counterfeit Cryptocurrency End-to-end

Contact Info

Product

Resources

About