GoPlus Security & SlowMist submits EIP with expiration limits for contract approvals to address the problem of user asset theft caused by unlimited contract approval

GoPlus Security
3 min readOct 5, 2022

--

According to Transit Swap, the cross-chain aggregator was attacked by hackers on October 2. The hackers stole around $28 million digital assets from approved users of Transit Swap contracts, by taking advantage of the vulnerability that the proxy contract and the implementation contract parameters were not strictly verified. The repeated asset theft was caused by users’ excessive approval of contracts.

As is known to all, users need to approve the contract to use its function, which means the contract has the right to transfer user assets to help users complete operations such as conversion, transaction and guarantee. The approval does not have any time limit at the moment, many users don’t recall the approval in time after using the contract function. As a result, if the approved contract goes wrong, all users who have not recalled the approval will be attacked, and the assets in the wallet can be transferred away by attackers directly.

GoPlus Security and SlowMist have proposed a solution with customized expiration data as a limit to the approval function of token contracts and has submitted a new EIP that is currently under review by Ethereum Research. New features include:

1. Control power back to the users. Users can set up APPROVAL for its ERC-20 token, either to automatically recall approval within a default period of time or to use a self-defined time bound to recall approval and avoid risks in time;

2. Fully compatible with the ERC20 standard. Crypto wallet, DEX, and other applications can use the new features without any modification;

3. For Tokens deployed in the form of a proxy contract, it is possible to directly upgrade the implementation to be compatible with this standard.

EIP Submission address: https://github.com/ethereum/EIPs/blob/7781c2cedb6e90de56de56342d7b19861730fdbc/EIPS/eip-draft_erc20_approval_expiration.md

Core code snippet:

While submitting the EIP with expiration limits for contract approvals, GoPlus Security also launched the approval detection and management API recently. By accessing the API, all kinds of Web3 products can easily provide their users with well-experienced approval management functions. Users can check whether the approved object is secure when they approve, including whether it is a malicious contract, and whether the contract is invalid. They can also screen the list of all approved contracts to see if there are risks.

Address for approval detection and management API: https://docs.gopluslabs.io/reference/approval-security-api-v2

GoPlus Security hopes to collaborate with more partners to improve the Web3 security infrastructure. Through in-depth cooperation with the main partner SlowMist and continuous technology optimization, GoPlus Security aims to provide users with a safer operating environment and a stronger sense of security.

--

--

GoPlus Security
GoPlus Security

Written by GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.

No responses yet