MultiversX Tracker is Live!

[PSA] We should do something for todays HALF MILLION lost tragedy to NEVER EVER happen again.

Etherum Reddit

More / Etherum Reddit 204 Views

r/Ethereum Today's Headline, The Original Post of Said Tragedy

TL,DR: We should start a campaign, here is our appeal:

  1. All wallet software orienting average user, shall ban the action of, or give the scariest warning it can give if the user initiates a tx that directly calls transfer function to a Contract address.
  2. We should promote and accelerate the deprecation of raw ERC-20, and the wider adoption of newer, more robust and fault-proof ERC-777 and ERC-1555 standards.

No matter what role you are playing in the scene - Blockchain developers, DeFi users, NFT hodlers, investors, today's tragedy is a serious alarm to us all that, Ethereum, along with many other blockchain technologies, are yet to be fully fledged for mass adoption.

This is fully understandable because the nature of new technologies is, no matter how many work we do to make the design perfect, it needs to be tested in the field first for problems to be reveal and fixed.

ERC-20 token standard is one of them, it's such a classic standard with long history and a whole ecosystem built upon it, but we all forgot that the philosophy behind its design is still immature, leading to serious loophole and design failure.

Sending ERC-20 token to any sort of Smart Contract is pointless and exceedingly dangerous. In usual business logic, if user want a certain smart contract to have certain token, what they should do, and the way the Smart Contract should absolutely implement is: user approve in ERC-20 token contract first, then you make user to call a function exposed by your Contract, in the function, your Contract calls transferFrom function on ERC-20 Token Contract, so that your contract is aware of this transfer.

An ERC-20 transfer function call, to ANY CONTRACT ADDRESS, initiated by END-USER (EOA address), is POINTLESS and will ALWAYS result in PERMANENT, UNRECOVEABLE TOKEN LOSS.

Today's tragedy is caused by collective effect of many factor: The nature of Ethereum that all addresses look the same; Lack of user education on smart contract (I see why people blaming weth.io on this, it's fully reasonable, today's victim might came up with the idea him/herself that: hey I send ETH to the contract, got WETH, now I send WETH back, ETH back, that's what the GIF on weth.io says! completely not knowing what's under the hood, the anonymous fallback function and etc.). Lack of on-chain logic checking and preventing this (it would cost everybody's gas).

But the most unforgivable factor is the NEGLIGENCE of wallet software: ZERO warning upon sending ERC-20 token to a Contract Address, on the UI I just saw "Contract interaction: Transfer", and I'm good to go! To PURGE ALL OF MY HODLING with single mouse click!

That's not how fault tolerance/fault proof should be done - to be honest, that's zero fault proof.

Green across the board, we are good to go right? POOOOF, SNAFU, a poor guy's life saving gone.

This issue has been around for years, and of course, everything on chain is accessible, etherscan.io can tell if an address is a contract, Infura can tell if it's a contract. But metamask, ledger live, xxx wallet and etc cannot tell if the address in the text input is a contract.

So, once again in the end, We should start a campaign, here is our appeal:

  1. All wallet software orienting average user, shall ban the action of, or give the scariest warning it can give if the user initiates a tx that directly calls transfer function to a Contract address.
  2. We should promote and accelerate the deprecation of raw ERC-20, and the wider adoption of newer, more robust and fault-proof ERC-777 and ERC-1555 standards.

EDIT 1: My proposal of warning text:

WARNING!!

The recipient address you typed in is a *Contract address*.

Typically, if you want to give asset to a contract, you should use the dApp of the contract, usually in the form of a website, then follow the instructions there. NOT transferring it here.

We do not know if the recipient contract can handle a direct token transfer like what you are trying to do, or not. Usually, if it is an DeFi contract, or a token contract, it does not have the ability.

If that's the case and you proceed, ALL ASSET SENT will be PERMANENTLY LOST.

there is NO WAY to RECOVER.

Are you sure you want to proceed?

  1. Cancel.
  2. I know what I am doing.
    1. It's my smart wallet. Mark it as my smart wallet address. Proceed.
    2. I'm very sure this is what I want to do. Proceed.

submitted by /u/cyanlink
[link] [comments]
Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments