Disclosure of a security flaw in ERC-20 transferring workflow

Dexaran · November 10, 2023, 3:26am

If you have PUSH transacting methods - you don’t need PULL methods for anything. This is how ether works for example.
ERC-20 standard was proposed in 2015. At this time there was a bug in Ethereum Virtual Machine 1024 call stack depth. The approve & transferFrom method of the ERC-20 standard was introduced so that this bug does not affect tokens. It was not a smart design, it was a weird quirk to address an old bug that doesn’t exist anymore.
In Tangerine Whistle hardfork the call stack depth problem was solved. This happened on block 2463000 in 2016. At this time approve & transferFrom method became obsolete and the ERC-20 standard should have been considered deprecated.

Here is an old comment from Vitalik regarding the call stack depth:

So, gathering the facts:

At the moment of ERC-20 creation there were two transacting methods: transfer & approve+transferFrom
It was not possible to implement PUSH TX model in a smart-contract at all due to 1024-call-stack depth
The authors most certainly knew about PUSH TXs because ether does implement it
Without notifying a recipient of an incoming transaction it is not possible to make a contract recognize the deposit - so the transfer function couldn’t notify recipients in any way at that moment

If the transfer function couldn’t be used for contract deposits and there was an approve & transferFrom method exactly for contract deposits just because there was no easier way to address 1024-call-stack-depth - what could be the purpose of the transfer other than making EOA to EOA transfers?

I can’t find any source that would directly say transfer is for EOA to EOA, approve is for deposits to contracts. But this is the only way of how it could be used.

Also the first contract on Ethereum that was supposed to interact with tokens was the Alex van de Sande’s “Unicorn Meat Grinder”. It was on the page maintained by Ethereum Foundation and I think it doesn’t exist anymore but I found a recap of the article. The Unicorn Meat Grinder transparently says “you must not deposit funds to contract directly - instead you approve them”.

gist.github.com

https://gist.github.com/alexvandesande/eca0b87da89ab28fa50c

Announcing the Great Unicorn Meat Grinder.md


You all know the [Unicorn Token](http://ethereum.org/donate) a small gratitude token sent by the Foundation to all good samaritans. Althought it has been successful, unicorns have some issues: it's expensive (2014 finney), non divisible (you can't split a unicorn) and it can only be acquired by the pure of heart. Today, all of that will change:

### The Unicorn Meat Grinder

Now all the evil etherians will finally be able hack your own unicorns into tiny little pieces. The Unicorn Meat Grinder is a contract that will take your unicorns, send them to unicorn heaven and will send you back a bunch of meat token. Each Unicorn is worth about a 1000 pieces of meat, but depending on your luck you might get more. Each token is divisible to 3 decimal places, so each single unicorn will be exchanged for more than a million smaller units.

### What is this? You can't kill unicorns!!

No? Watch me.

This file has been truncated. show original