Securing smart contracts from risks remains hard. Unaddressed security vulnerabilities readily turn into existential threats to your token’s viability. So how can asset issuers prevent smart contract vulnerabilities from leading to real financial losses on token networks?
Keep users’ tokens and token networks safe from attackers by teaching developers to write smart contracts and design robust testing based on this list of ERC-20 implementation risks.
In Introducing Solidify, we shared how the Coinbase blockchain security team performs smart contract vulnerability review at scale. A meta analysis across a few hundred token Solidify security reports resulted in a list of most frequent and severe risks based on potential impact to token network security.
The top ten Smart Contract Risks (SCR) fall into three categories:
Operational Risks — Authorization features that are exploited when token network governance is insufficient or flawed
Implementation Risks — Intrinsic errors that result in unintended smart contract behavior
Design Risks — Accepted system features that are exploited to alter intended smart contract behavior
The smart contract implements functions that allow a privileged role to unilaterally and arbitrarily alter the functionality of the asset.
The smart contract implements functions that allow a privileged role to prohibit a specific address from exercising an essential functionality.
The smart contract implements functions that allow the holder of a privileged role to unilaterally and arbitrarily alter the functionality of the asset.
The smart contract implements a function that allows a privileged role to remove the token contract from the blockchain and destroy all tokens created by the contract.
The smart contract implements a function that allows a privileged role to increase a token’s circulating supply and/or the balance of an arbitrary account.
The smart contract implements functions that allow the holder of a privileged role to unilaterally and arbitrarily alter the functionality of the asset.
The smart contract contains operations that can result in unexpected contract states or account balances.
The smart contract invokes functions on different smart contracts in order to trigger functionality not defined within the contract itself.
The smart contract allows asynchronous transaction processing that can be exploited for profit or protocol correctness through mempool transaction reordering.
For Coinbase customer funds’ safety, the Coinbase blockchain security team assesses all tokens being considered for listing for proper risk mitigations according to the above vulnerabilities. If you’re looking to get a token listed on Coinbase, we encourage you to check your token’s security by reviewing and testing for the aforementioned risks.
Future posts will help you review your token’s security by examining the top Smart Contract Risks in detail and will also provide countermeasure recommendations.
If you are interested in listing your token with Coinbase, visit the Coinbase Asset Hub. If you are interested in securing the future of finance, Coinbase is hiring.
Coinbase Security Team
Security