Checklist for an ERC20 Contract Audit

DeTaSECURE

2 min read
Checklist for an ERC20 Contract Audit

In the world of blockchain, tokens are considered assets. These assets have to be secured. It is the auditor’s responsibility to test a smart contract for vulnerabilities after the developers have completed creating it. Tokens are developed using smart contracts with the ERC-20 standard.

So how to do it?

Hold on!

Let's equip you with ammo before we move into war!

What is ERC20?

ERC20(Ethereum Request for Comment) is the standard for fungible tokens created using the Ethereum blockchain. A fungible token is one that is interchangeable with another token — where the well-known non-fungible tokens (NFTs) are not interchangeable.

Functionalities of ERC20 standard:

If some of the below functionalities are implemented in the contract then we can say that the contract is using the ERC20 standard.

  • transfer tokens from one account to another
  • get the current token balance of an account
  • get the total supply of the token available on the network
  • approve whether an amount of tokens from an account can be spent by a third-party account.
Seamless Smart Contract Audit with DeTaSECURE

Here's the fun part!

Things to check while auditing the ERC20 contract:

  1. When transferring tokens from one account to another, check whether the values are being updated correctly.
  2. Similarly, when transferring ETH, check whether the state changes are happening before the transfer. For example, the balance should be reduced from the sender’s account before transferring it to the receiver. This will stop attacks like reentrancy.
  3. Check all the external calls. Because external functions are the ones that can be called by anyone. If it has any bug then the attacker will drain the balance in the contract.
  4. If the contract is having multiple user roles, then check all the roles, and check whether the access controls are applied properly.
  5. Check whether the parent contracts (ERC20, Ownable) are standard contracts (e.g. written by OpenZeppelin) or are they custom-written contracts by the dev.

Gas optimization issues:

During the auditing phase, Auditors will also look for gas optimization issues. It will reduce the cost for the client.

Gas optimization can be done for all the contracts, not only for the ERC20 contracts.

  1. Check all the functions declared are used in the contract(unused functions).
  2. Check for multiple functions with the same functionality, sometimes developers write their own logic.
  3. Writing to blockchain storage is costly. So search for the “storage” keyword and analyze whether it should be written to the blockchain or not. The recommendation could be the usage of the “memory” keyword.

After finding all the issues it is important to verify them once again.