Security Concerns Arise Over ERC-404 Tokens

ERC-404 tokens are gaining popularity, yet crypto developers have pointed out security risks associated with this experimental standard, which has not yet undergone an audit.

How ERC-404 Works

The standard is a hybrid implementation of ERC-20/ERC-721, where purchasing a coin also automatically generates an NFT in the wallet. It allows ownership of a fractional part of a so-called “fractional” non-fungible token.

3/ The goal of ERC404 seems to be allowing NFTs to be traded with the more robust liquidity of fungible token pools.

They’ve accomplished this by effectively rendering transfers below a certain amount (the total supply of NFTs) invalid. Odd choice, but we’ll see why in a second.

— quit (?,?) (@0xQuit) February 6, 2024

“The goal of ERC-404 is to allow NFTs to be traded with the more robust liquidity of fungible token pools. They achieved this by effectively making transfers below a certain amount (the total supply of NFTs) invalid. Strange choice […]” wrote the developer and Solidity auditor known as Quit.

The expert analyzed the ERC-404 code and noticed many common details with the standards it is based on. Changes appear in the transaction confirmation mechanism.

Quit explained: if the sent amount is within the “range of minted tokens,” assets are moved in the ERC-721 format; if above or zero, in ERC-20.

The developer also noted the “very expensive maintenance” of a function that mimics ERC721Enumerable. It is responsible for displaying a list of all tokens owned by an account.

According to him, transferring an NFT from a standard Azuki collection costs about 45,000 Gwei, while transferring a Pandora token exceeds 100,000 Gwei.

“[In ERC-404] a transaction burns/mints an NFT according to changes in the sender/receiver balance. In the case of asset recording, we need a list of non-fungible tokens owned by the sender,” Quit explained the high gas cost.

According to the official page on GitHub, ERC-404 is experimental, and the two combined standards “are not intended to be mixed.” However, developers aim to combine them “as reliably as possible, minimizing compromises.”

Security Issues

After a detailed study, Quit highlighted the threat of an exploit. According to his analysis, NFTs using ERC-404 are vulnerable to theft by holders of fungible ERC-404 tokens.

9/ You might be able to guess what happens.

This is a valid withdrawal amount, because the depositor has a balance much higher than the request.

However, Pandora interprets it as an ERC721 transfer, and thus our token depositor is able to steal the NFT from our NFT depositor. pic.twitter.com/sQwn9828Jp

— quit (?,?) (@0xQuit) February 8, 2024

This is possible if the NFT was deposited in a lending protocol improperly configured for the new standard.

“I fully expect to see this exploit at some point if ERC-404 remains popular. […] The lesson is that we should not overload existing function signatures with new, hidden, and unintuitive mechanics,” stated Quit.

ERC-404 has not yet been approved by the Ethereum Foundation and the community, and the official EIP page is unavailable at the time of writing. Moreover, the software code has not undergone audit checks.

The experimental standard is backed by anonymous developers under the pseudonyms ctrl and Acme. In a conversation with Cointelegraph, they stated that the project team is “working around the clock” to register the EIP:

“It’s a lengthy process, there’s a lot of politics […] It usually takes a couple of weeks.”

According to them, obtaining approval for such an initiative is “one of the most bureaucratic things you can imagine.”

Responding to questions about security and potential exploits, the developers shifted responsibility to other platforms that “integrate and misuse the ERC-404 contract.”

“It’s like publishing a picture of a car and explaining how to break into it through an open door,” they added.

Previously, ForkLog reported that significant growth in Pandora brought a trader about $1.2 million in two days.