I have a question about OpenZeppelin ERC20 API _transfer(), which can transfer ERC20 token from any address to any other address without the permission of token holder.
If the contract owner set a function in his contract with this API, is that means he/she would become the dominator of the contract, and can violate the token holders balance as he/she wish?
If so, from the holder's perspective, how can the holder protect their rights?
function transferTo(address from, address payable to, uint amount) external onlyOwner {
_transfer(from, to, amount);
}
Yes! The contract creator can do nefarious things and therefore you should always be aware of the contracts' code even as an end user. Of course, many of those things we'd worry about would also make them not technically ERC20. As a developer social cues like registering code with Etherscan enable that level of transparency needed. Other issues of concern might be: can the metadata be changed? is it on a centralized system? how about the artwork or whatnot?
1 Like
The contract owner can just as well do all of this without even relying on OpenZeppelin's ERC20 to begin with, so the question as reflected in its title is pretty much irrelevant.
The only question remaining here is the one at the bottom:
How can the holders protect their rights?
And the answer to this question is:
The holders need to read the contract carefully before signing any transaction on it (just like you need to do with "regular" contracts in your day-to-day living).
Now I know what the contract means. I thought the web3 blockchain is trustful and reliable, obviously I'm wrong about it. The smart contract could be written by malicious one.
As a developer, how can I gain users' trust by explaining I'm not a bad guy?
As a user, how can I distinguish risks if I don't know codes?
Troubles me.