Comments (8)
I agree with your decision. 👍
from snekmate.
Also linking the OpenZeppelin discussion here.
from snekmate.
I ran a Twitter poll here that clearly voted "No".
from snekmate.
I would say allow zero transfers.
- Ethereum is still a resource constrained environment and transfers are among the most important paths to optimize in token contracts.
- The standard explicitly says to treat zero transfers like normal transfers. Whether or not it is the best choice, I don't know, but there are plenty of suboptimal choices we still follow for the sake of standardization and this one seems mostly negligible.
- While it is a phishing vector, there will always be phishing vectors; not to say we shouldn't protect against them when we can, but this boils down to user awareness and/or reliance on services like Etherscan to hide obvious phishing attempts by default.
from snekmate.
Helps users save a bit of gas, while spammers burn more tokens to lower supply.
I think users just have to be a bit more careful.
Fat finger mistakes like copy-pasting an address wrongly can be prevented at the client side pretty efficiently.
from snekmate.
A generic ban blocking zero transfers/transferFrom, seems bad since everyone using the contracts needs to add code to check if they are performing a zero transfer and not send it if they are. This puts extra code complexity all over the place.
However this code only blocks zero transfers with zero approvals. This seems like a fairly sane policy on the surface. I liked it at first. However, we've just pushed the same problem as before, but into a narrower area. Now you can't do an approve of an exact amount and then call something that transferFrom's that amount, without adding extra zero checks.
So, slightly regretfully, I think it's best to just let zero transfers on zero approvals through. Clean, understandable downstream code is important. On chain state. is not modified. The only real issue here is the transfer event.
(I think that not emitting the transfer event in the zero transfer/zero auth case is also not a good idea because sometimes people built monitoring systems that depend on tracking transfer events to find when other things happen._)
from snekmate.
After careful consideration, I decided to not disallow the address poisoning attack in the ERC20
implementation. However, I documented this behavior in the code base. See my PR #71. Let me know if you agree or disagree with my comments.
from snekmate.
Here is an example of a contract which would have failed if zero transfer was reverting: https://etherscan.io/address/0xa5407eae9ba41422680e2e00537571bcc53efbfd#code
Although this is not per spec, but I think what really should be done is no event if amount is zero. This doesn't break anything, and if the spec explicitly wants poisoning allowed - that's too bad for the spec.
from snekmate.
Related Issues (20)
- ♻️ Make Test Suite Compatible With Foundry `v1.0` HOT 2
- 🔁 Upgrade to Solidity Version `0.8.21` HOT 4
- 💥 Implement `deployBlueprint` Function in `VyperDeployer` Utility Function HOT 3
- 🔁 Upgrade to Vyper Version `0.3.10`
- ♻️ Remove `increase_allowance` and `decrease_allowance` from `ERC20` and `ERC4626`
- 🔁 Upgrade to Solidity Version `0.8.22`
- 💥 `ERC-4337` Functionalities
- 💥 Add `P256Verifier` to 🐍 snekmate
- 💥 Vyper-Based Multisig Wallet HOT 5
- 💥 `Governor` Contract
- 💥 `TimelockController` Contract HOT 1
- 👷♂️ Add Slither to CI Pipeline
- 💥 Integrate 🐍 snekmate Contracts With Halmos
- 🔁 Upgrade Solidity Version to `0.8.23`
- 💥 Amend `stateful` (a.k.a. `invariant`) Tests
- 🐛 `VyperDeployer` Fails in Forking Mode HOT 10
- 🔁 Upgrade Solidity Version to `0.8.24`
- 🐛 Unable to Call `distribute_token` in `BatchDistributor` via Etherscan HOT 2
- 💥 Make `owner` Explicit in Constructor
- 🔖 Meta: `0.1.0` Checklist
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snekmate.