✅RACE #4 - ERC20 Implementation

Secureum Bootcamp Epoch∞ - February RACE #4 • Ventral DigitalVentral Digital

RACE #4

RACE #4 result

Note: All 8 questions in this quiz are based on the InSecureum contract. This is the same contract you will see for all the 8 questions in this quiz. InSecureum is adapted from a widely used ERC20 contract.

pragma solidity 0.8.10;

import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/IERC20.sol";
import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/extensions/IERC20Metadata.sol";
import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/Context.sol";

contract InSecureum is Context, IERC20, IERC20Metadata {
    mapping(address => uint256) private _balances;
    mapping(address => mapping(address => uint256)) private _allowances;
    uint256 private _totalSupply;
    string private _name;
    string private _symbol;

    constructor(string memory name_, string memory symbol_) {
        _name = name_;
        _symbol = symbol_;
    }

    function name() public view virtual override returns (string memory) {
        return _name;
    }

    function symbol() public view virtual override returns (string memory) {
        return _symbol;
    }

    function decimals() public view virtual override returns (uint8) {
        return 8;
    }

    function totalSupply() public view virtual override returns (uint256) {
        return _totalSupply;
    }

    function balanceOf(address account) public view virtual override returns (uint256) {
        return _balances[account];
    }

    function transfer(address recipient, uint256 amount) public virtual override returns (bool) {
        _transfer(_msgSender(), recipient, amount);
        return true;
    }

    function allowance(address owner, address spender) public view virtual override returns (uint256) {
        return _allowances[owner][spender];
    }

    function approve(address spender, uint256 amount) public virtual override returns (bool) {
        _approve(_msgSender(), spender, amount);
        return true;
    }

    function transferFrom(
        address sender,
        address recipient,
        uint256 amount
    ) public virtual override returns (bool) {
        uint256 currentAllowance = _allowances[_msgSender()][sender];
        if (currentAllowance != type(uint256).max) {
            unchecked {
                _approve(sender, _msgSender(), currentAllowance - amount);
            }
        }
        _transfer(sender, recipient, amount);
        return false;
    }

    function increaseAllowance(address spender, uint256 addedValue) public virtual returns (bool) {
        _approve(_msgSender(), spender, _allowances[_msgSender()][spender] + addedValue);
        return true;
    }

    function decreaseAllowance(address spender, uint256 subtractedValue) public virtual returns (bool) {
        uint256 currentAllowance = _allowances[_msgSender()][spender];
        require(currentAllowance > subtractedValue, "ERCH20: decreased allowance below zero");
        _approve(_msgSender(), spender, currentAllowance - subtractedValue);
        return true;
    }

    function _transfer(
        address sender,
        address recipient,
        uint256 amount
    ) internal virtual {
        require(sender != address(0), "ERC20: transfer from the zero address");
        require(recipient != address(0), "ERC20: transfer to the zero address");
        uint256 senderBalance = _balances[sender];
        require(senderBalance >= amount, "ERC20: transfer amount exceeds balance");
        unchecked {
            _balances[sender] = senderBalance - amount;
        }
        _balances[recipient] += amount;
        emit Transfer(sender, recipient, amount);
    }

    function _mint(address account, uint256 amount) external virtual {
        _totalSupply += amount;
        _balances[account] = amount;
        emit Transfer(address(0), account, amount);
    }

    function _burn(address account, uint256 amount) internal virtual {
        require(account != address(0), "ERC20: burn from zero address");
        require(_balances[account] >= amount, "ERC20: burn amount exceeds balance");
        unchecked {
            _balances[account] = _balances[account] - amount;
        }
        _totalSupply -= amount;
        emit Transfer(address(0), account, amount);
    }

    function _approve(
        address owner,
        address spender,
        uint256 amount
    ) internal virtual {
        require(spender != address(0), "ERC20: approve from the zero address");
        require(owner != address(0), "ERC20: approve to the zero address");
        _allowances[owner][spender] += amount;
        emit Approval(owner, spender, amount);
    }
}

Question 1 ✅

“`InSecureum` implements”

• A. Atypical decimals value -> 8, standard is 18

• B. Non-standard decreaseAllowance and increaseAllowance -> These two functions are in OpenZeppelin's implementation for mitigating approve() frontrunning but not in ERC20 standard

• C. Non-standard transfer

• D. None of the above

Question 2 ✅

“In `InSecureum`”

• A. decimals() can have pure state mutability instead of view

• B. _burn() can have external visibility instead of internal

• C. _mint() should have internal visibility instead of external

• D. None of the above

Question 3 ✅

“`InSecureum transferFrom()`”

• A. Is susceptible to an integer underflow -> currentAllowance - amount when currentAllowance == 0 triggers integer underflow

• B. Has an incorrect allowance check -> function won't revert on integer underflow because of unchecked{}

• C. Has an optimization indicative of unlimited approvals -> if (currentAllowance != type(uint256).max) {...}

• D. None of the above

My comment:

Here is OpenZeppelin's ERC20 transferFrom() implementation:

function transferFrom(address from, address to, uint256 amount) public virtual override returns (bool) {
    address spender = _msgSender();
    _spendAllowance(from, spender, amount);
    _transfer(from, to, amount);
    return true;
}

function _spendAllowance(address owner, address spender, uint256 amount) internal virtual {
    uint256 currentAllowance = allowance(owner, spender);
    if (currentAllowance != type(uint256).max) {
        require(currentAllowance >= amount, "ERC20: insufficient allowance");
        unchecked {
            _approve(owner, spender, currentAllowance - amount);
        }
    }
}

The require(currentAllowance >= amount, "ERC20: insufficient allowance"); check prevents integer underflow.

Question 4 ✅

“In `InSecureum`”

• A. increaseAllowance is susceptible to an integer overflow -> No unchecked{} block, Solidity version is ^0.8, all good

• B. decreaseAllowance is susceptible to an integer overflow -> Same reason

• C. decreaseAllowance does not allow reducing allowance to zero -> Because it is require(currentAllowance > subtractedValue), not currentAllowance >= subtractedValue

• D. decreaseAllowance can be optimized with unchecked{} -> This is fine because of the require statement before _approve()

My comment:

Here is OpenZeppelin's ERC20 increaseAllowance() and decreaseAllowance() implementation:

function increaseAllowance(address spender, uint256 addedValue) public virtual returns (bool) {
    address owner = _msgSender();
    _approve(owner, spender, allowance(owner, spender) + addedValue);
    return true;
}

function decreaseAllowance(address spender, uint256 subtractedValue) public virtual returns (bool) {
    address owner = _msgSender();
    uint256 currentAllowance = allowance(owner, spender);
    require(currentAllowance >= subtractedValue, "ERC20: decreased allowance below zero");
    unchecked {
        _approve(owner, spender, currentAllowance - subtractedValue);
    }

    return true;
}

Question 5 ✅

“`InSecureum _transfer()`”

• A. Is missing a zero-address validation

• B. Is susceptible to an integer overflow

• C. Is susceptible to an integer underflow

• D. None of the above

My comment:

Here is OpenZeppelin's ERC20 _transfer() implementation:

function _transfer(address from, address to, uint256 amount) internal virtual {
    require(from != address(0), "ERC20: transfer from the zero address");
    require(to != address(0), "ERC20: transfer to the zero address");

    _beforeTokenTransfer(from, to, amount);

    uint256 fromBalance = _balances[from];
    require(fromBalance >= amount, "ERC20: transfer amount exceeds balance");
    unchecked {
        _balances[from] = fromBalance - amount;
        // Overflow not possible: the sum of all balances is capped by totalSupply, and the sum is preserved by
        // decrementing then incrementing.
        _balances[to] += amount;
    }

    emit Transfer(from, to, amount);

    _afterTokenTransfer(from, to, amount);
}

Question 6 ✅

“`InSecureum _mint()`”

• A. Is missing a zero-address validation -> Need require(account != address(0))

• B. Has an incorrect event emission

• C. Has an incorrect update of account balance -> Should be _balances[account] += amount;

• D. None of the above

My comment:

Here is OpenZeppelin's ERC20 _mint() implementation:

function _mint(address account, uint256 amount) internal virtual {
    require(account != address(0), "ERC20: mint to the zero address");

    _beforeTokenTransfer(address(0), account, amount);

    _totalSupply += amount;
    unchecked {
        // Overflow not possible: balance + amount is at most totalSupply + amount, which is checked above.
        _balances[account] += amount;
    }
    emit Transfer(address(0), account, amount);

    _afterTokenTransfer(address(0), account, amount);
}

Question 7 ✅

“`InSecureum _burn()`”

• A. Is missing a zero-address validation

• B. Has an incorrect event emission -> event Transfer(address indexed from, address indexed to, uint256 value);

• C. Has an incorrect update of account balance

• D. None of the above

My comment:

Here is OpenZeppelin's ERC20 _burn() implementation:

function _burn(address account, uint256 amount) internal virtual {
    require(account != address(0), "ERC20: burn from the zero address");

    _beforeTokenTransfer(account, address(0), amount);

    uint256 accountBalance = _balances[account];
    require(accountBalance >= amount, "ERC20: burn amount exceeds balance");
    unchecked {
        _balances[account] = accountBalance - amount;
        // Overflow not possible: amount <= accountBalance <= totalSupply.
        _totalSupply -= amount;
    }

    emit Transfer(account, address(0), amount);

    _afterTokenTransfer(account, address(0), amount);
}

Question 8 ✅

“`InSecureum _approve()`”

• A. Is missing a zero-address validation

• B. Has incorrect error messages -> Flipped

• C. Has an incorrect update of allowance -> Should be _allowances[owner][spender] = amount;

• D. None of the above

My comment:

Here is OpenZeppelin's ERC20 _approve() implementation:

function _approve(address owner, address spender, uint256 amount) internal virtual {
    require(owner != address(0), "ERC20: approve from the zero address");
    require(spender != address(0), "ERC20: approve to the zero address");

    _allowances[owner][spender] = amount;
    emit Approval(owner, spender, amount);
}