MultiversX Tracker is Live!

4 hours ago $240K worth of CRO were deposited to the address of USDT contract

Etherum Reddit

More / Etherum Reddit 09/06 110 Views

A user just sent 4,800,000 CRO to the address of USDT smart-contract https://etherscan.io/tx/0x4e3f1853dc4bfeb2a5cd4ebbc79d0853ad993d5368bed19d8195d64928e11ac2

As the result, the tokens are lost and there is no way to recover them.

Whats wrong with it?

While it was a users mistake at one hand (the user should not send tokens to the address of another token contract) - it is also ERC-20 standard failure. Handling user mistakes is quite a common practice in secure software development, but for some reason not supported in ERC-20.

If the user would send ether to the address of USDT contract then the transaction would be automatically reverted because USDT contract is not intended to hold any tokens or ether. USDT contract is only intended to BE the token.

It should be noted that this is only the case with ERC-20 standard. ERC-223, ERC-721 standards and ether allow for proper error handling and can't cause financial damage for the end user in such a way.

There are $201M worth of other ERC-20 tokens

I wrote a script that calculates how much tokens are "lost" in contracts in a similar way and there are $201M worth of tokens currently

https://gist.github.com/Dexaran/40213a04ce46b394279ac7daa581ce87

It should be noted that error handling is critically important for security. ERC-20 standard does not allow for error handling and user errors that could be easily detected and reverted result in a loss of tokens.

There is some comparison of how much financial damage was dealt by different accidents in Ethereum history:

  • TheDAO hack: $60M
  • Curve hack: $60M
  • Compound hack: $150M
  • Lack of error handling in ERC-20: $201M
  • Wormhole hack: $326M

The amount of damage that ERC-20 lack of error handling dealt to the ecosystem is at least 3x higher than the recent Curve hack or the most famous TheDAO hack and the amount of lost tokens increases every day until a new standard is implemented.

Nothing prevents it from becoming $20billions ERC-20 lost tomorrow.

What can be done?

  • ERC-20 tokens can be delivered to any contract. It is important to implement a "rescue" function to extract them in any contract.
  • Using safer standards like ERC-223 would prevent such issues.
  • The user must contact the CRO development team and ask for a refund probably because it is a failure of CRO contract that managed to deliver tokens where they should not be delivered in first place. This issue is widely known, I described it in 2017 and it was known at the time of the CRO contract creation. Nevertheless the developers decided to use exactly this problematic standard and it is totally their responsibility. For example if a bank picked a database that contained a "well-known security flaw" as the result of which the banks customers lost their deposits due to software faults - then it's the banks responsibility.
submitted by /u/Dexaran
[link] [comments]
Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Read more

Related Posts

Comments