ERC777 Tokens

From CryptoWiki

Revision as of 10:14, 20 April 2020 by wiki_crypto>Zeb.dyor
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

 Basics

  • On of the ERC tokens.
  • The developers advertise the ERC777 standard as more customizable than ERC20, and say it allows for faster, smoother transactions. It is also apparently backward compatible with ERC20, which may encourage developers to widely adopt it.
  • it is open source and available on GitHub

"The ERC777 Ethereum improvement proposal (EIP) explains how ERC777 tokens will employ a "send" function (similar to how Ether operates), which allows for direct transactions and exchanges with EDCCs (or smart contracts). This varies from ERC20 tokens, which only allow for a "transfer" function and require two transactions to exchange one token for another (a function executed through an EDCC). The first transaction, under the ERC20 standard, is a request for approval. The second call allows a token contract to make a transaction on your behalf.

Under the ERC777 standard, things work differently. With the "send" function, ERC777-based tokens will call on a universal ownerless trusted contract, the ERC820, which is basically a registry that will tell the token whether the contract it is attempting to interact with is compatible. If it is an incompatible contract or the contract is not registered, the transaction will get thrown. In that case, the token sender can fall back on the ERC20 transfer function and request acceptance. However, a contract or address only needs to register with the ERC820 contract once – it can be registered by anyone and then that information will be available to everyone.

Besides being designed to streamline transactions, this "send" function should allow ERC20 token holders to transfer tokens to smart contracts without first sending a request for approval.  Another advantage ERC777 purportedly has over ERC20 is that the new standard will allow "hooks." Baylina explained in his DappCon talk that "hooks are functions that can be called during a transfer." In other words, a hook specifies the parameters of a transaction. Among other things, it can require notifications to be sent to senders or recipients before or after a transaction is complete."

Hacks

"ERC777 is widely known to be vulnerable to reentrancy attacks, something ConsenSys Diligence highlighted in the Uniswap audit and on which OpenZeppelin published an exploit on last summer."

$300,000 Uniswap Hack

"Today, the imBTC pool on Uniswap has been attacked & drained. The hacker utilized an attack vector on ERC777 tokens on Uniswap. The BTC in custody is not impacted. We have paused imBTC transfers for now, are evaluating the situation & will notify when transfers are restored"

"The imBTC attack took advantage of the fact that imBTC uses ERC 777 standard, which allows the hacker to continuously call the Uniswap smart contract to withdraw funds before the external balance could be updated.

On Twitter, some users are speculating that Lendf.Me experienced a similar attack to the imToken one, as transaction records show that the hacker repetitively called Lendf.Me's withdrawal function to take out imBTC that was supplied to the lending protocol by the hacker in the first place.

A ConsenSys audit of Uniswap last year also discussed this vulnerability in depth."

$25M dForce Hack

"Earlier speculation from DeFi protocol builders say the attack was caused by imBTC, an ethereum token pegged one-to-one with bitcoin, used as collateral that turned out to be fraudulent, enabling the attacker to drain funds for nearly free. Compound CEO Robert Leshner said on Twitter that dForce “copy/pasted Compound v1 without changes.” Leshner told CoinDesk on Telegram that the v1 code "was not flawed," but that the group was cautious about which assets it listed. "This is a follow-up attack to the imBTC Uniswap attack yesterday," he said, noting that imBTC is an ERC-777 token and "not a normal Ethereum asset. Smart contracts that include imBTC have to be extra cautious, and write additional code to protect against 're-entrancy attacks,'" he said."