ERC-404 tokens continue to gain popularity, but crypto developers have pointed out the security risks of the yet-to-be-audited experimental standard.
How ERC-404 works
The standard is a mixed implementation of ERC-20/ERC-721, where when you purchase a coin, an NFT automatically appears on your wallet. At the same time, it allows you to own a fractional part of the so-called “fractional” non-fungible token.
3/ The goal of ERC404 seems to be allowing NFTs to be traded with the more robust liquidity of fungible token pools.
They've accomplished this by effectively rendering transfers below a certain amount (the total supply of NFTs) invalid. Odd choice, but we'll see why in a second.
— quit (👀,🦄) (@0xQuit) February 6, 2024
“The goal of ERC-404 is to allow NFTs to be traded with more reliable liquidity in pools of fungible tokens. They achieved this by essentially making transfers below a certain amount (the total number of NFTs) invalid. Strange choice […]“, wrote a Solidity developer and auditor under the username Quit.
The expert analyzed the ERC-404 code and noticed many common details with the standards taken as a basis. Changes appear in the transaction confirmation mechanism.
Quit explained that if the amount being sent is in the “minted token range”, the assets are moved in ERC-721 format, with a value above or zero – in ERC-20.
The developer also noted that the function, which emulates ERC721Enumerable, is “very expensive to maintain.” It is responsible for displaying a list of all tokens owned by the account.
According to him, transferring an NFT from the standard Azuki collection costs about 45,000 Gwei, and transferring a Pandora token costs over 100,000 Gwei.
“[В ERC-404] the transaction burns/mints the NFT according to the sender/recipient balance changes. In the case of recording an asset, we need a list of non-fungible tokens owned by the sender,” Quit explained the high cost of gas.
According to the official page on GitHubERC-404 is experimental and the two standards being combined are “not intended to be mixed.” However, the developers strive to combine them “in as reliable a way as possible while minimizing compromises.”
After a detailed study, Quit noticed the threat of an exploit. According to his analysis, NFTs using ERC-404 are vulnerable to theft by ERC-404 fungible token holders.
9/ You might be able to guess what happens.
This is a valid withdrawal amount, because the depositor has a balance much higher than the request.
However, Pandora interprets it as an ERC721 transfer, and thus our token depositor is able to steal the NFT from our NFT depositor. pic.twitter.com/sQwn9828Jp
— quit (👀,🦄) (@0xQuit) February 8, 2024
This is feasible in the event that the NFT was deposited into a lending protocol that is not configured correctly for the new standard.
“This is an exploit I fully expect to see at some point if ERC-404 remains popular. […] The lesson is that we should not overload existing function signatures with new, hidden and unintuitive mechanics,” Quit said.
ERC-404 has not yet been approved by the Ethereum Foundation and the community, but official EIP page not available at the time of writing. However, the program code did not undergo audits.
Behind the experimental standard are anonymous developers under the pseudonyms ctrl and Acme. During a conversation with Cointelegraph they stated that the project team is “working around the clock” to register the EIP:
“It’s a long process, there’s a lot of politics involved.” […] It usually takes a couple of weeks.”
Getting approval for this kind of initiative, they say, is “one of the most bureaucratic things imaginable.”
When asked about security and possible exploits, the developers shifted responsibility to other platforms that “integrate and misuse the ERC-404 contract.”
“It’s like posting a photo of a car and explaining how to break into it through an open door,” they added.
Cryplogger previously reported that Pandora’s significant growth brought the trader about $1.2 million in two days.
Found an error in the text? Select it and press CTRL+ENTER
Cryplogger newsletters: keep your finger on the pulse of the Bitcoin industry!