Online ERC20 contract verifier

Integrating ERC20 tokens in an app has usually been the source of unexpected issues, due to contracts not properly adhering to the standard. Nacho Mazzara from Decentraland wrote about this almost a year ago. And with DeFi composability on the rise in the past few months, these problems are surfacing more and more often. We heard a lot of complaints about this recently in Devcon as well.

To help with this, we took a few hours off from our daily tasks and decided to repurpose a verifier tool built by @tinchoabbate to check compliance with the ERC20 standard, and created a small app around it. The app pulls the Solidity code from Etherscan given an address, and runs the verifier tool on the code. In turn, the verifier uses Slither, a Solidity static analyzer, behind the scenes.

The result? Check it out at erc20-verifier.openzeppelin.com

Note that the script does not verify that the functions found behave as expected. It just checks for matching signatures, return types, existence of custom modifiers, event emissions, among others. It is also limited to tokens built with Solidity 0.4 or 0.5 at the moment. Feel free to browse the code and contribute on github.

12 Likes

Awesome work.

Tried some of the tokens on https://etherscan.io/tokens

Interesting to see the results.

Found some layout issues on mobile (especially portrait, I had to use landscape). Though don’t know how many other people will be doing this from their phones.

1 Like

Thank you @spalladino and @tinchoabbate …I just tried the online erc20 contract verifier and it doesn’t return anything for a verified contract of mine?

Link to the contract on etherscan is here

Note: my contract is in Rinkeby testnet and not on mainnet yet.

1 Like

Hi @pkr,

The Online ERC20 Contract Verifier is mainnet only. There is only a field for the ERC20 contract address.

You should be able to use the underlying ERC20 Slither script which takes the contract source code.

Otherwise you could fork the repo for the Online Verifier and hard code the test network you want to use.

Also you would need to use the source code from the logic contract (as the link provided was for the proxy contract).

MoMannn on r/Ethereum advised there is an ERC721 validator using a different mechanism.

There is also a validator for ERC-721. You can check it out here: https://erc721validator.org/
It works in a different way then the erc20 validator. You can check more about that here: https://medium.com/hackernoon/https-medium-com-momannn-live-testing-smart-contracts-with-estimategas-f45429086c3a

Though it didn't appear to correctly report Balance of zero address balanceOf(0) should throw. for BlockHorses: https://erc721validator.org/?address=0x5eef0e02b6f84f5b13543ed41df975b751b33182

1 Like

Great initiative!
I have tried on 2 erc20 contract but both fails with a blank page as a result:

0x3845badAde8e6dFF049820680d1F14bD3903a5d0
0x5A3D077D05D1C7E146E0CcAfdfc91AEeeE79E32d

Any idea?

By the way the last one is actually a upgradeable proxy so maybe it affect the tool?

1 Like

Hi @wighawag,

Welcome to the community :wave:

https://etherscan.io/address/0x3845badade8e6dff049820680d1f14bd3903a5d0#code
The verified source is not a single flat file, so assume that the verifier can’t handle this yet.

https://etherscan.io/address/0x5a3d077d05d1c7e146e0ccafdfc91aeeee79e32d#code
As you mentioned, this is a proxy. If you point the verifier to your logic contract then it should report.

Contributions are welcome, so feel free to add this functionality: https://github.com/spalladino/erc20-verifier

1 Like

Is there any way to do this check at the contract level? ERC20 doesn't import ERC165, and I'm looking for a way to achieve similar functionality.