Token-0x

First Flight #54

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

ERC20Internals Should Be Abstract

Author Revealed upon completion

ERC20Internals Should Be Abstract + Medium

Description

Normal behavior: Contracts intended to be inherited and not deployed directly should be marked as abstract. This prevents accidental deployment of a contract that does not implement a full usable interface.
Issue: ERC20Internals contains only internal functions and state variables and is not intended for direct deployment. However, it is currently a concrete contract. Without the abstract keyword, Solidity allows deployment, which can lead to misuse or unintended behavior.

contract ERC20Internals { @> // Should be abstract to prevent direct deployment

mapping(address account => uint256) internal _balances;

mapping(address account => mapping(address spender => uint256)) internal _allowances;

uint256 internal _totalSupply;

string internal _name;

string internal _symbol;

function _balanceOf(address owner) internal view returns (uint256) { ... }

function _transfer(address from, address to, uint256 value) internal returns (bool success) { ... }

function _approve(address owner, address spender, uint256 value) internal virtual returns (bool success) { ... }

function _spendAllowance(address owner, address spender, uint256 value) internal virtual { ... }

function _mint(address account, uint256 value) internal { ... }

function _burn(address account, uint256 value) internal { ... }

}

Risk

Likelihood: Medium

Reason 1: Developers may accidentally deploy ERC20Internals directly, thinking it is a usable ERC-20 token contract.
Reason 2: Automated tooling or scripts that deploy contracts generically may deploy this contract without realizing it is incomplete.

Impact: Medium

Impact 1: Deploying this contract directly results in a token with no public interface or usable functions, which is confusing and wastes gas.
Impact 2: Misuse could lead to untested or broken functionality if someone tries to use it as a base ERC-20 token without adding a proper implementation.

Proof of Concept

This contract has no public ERC-20 functions, so the deployed instance is non-functional.

// Direct deployment attempt:

ERC20Internals token = new ERC20Internals(); // Compiles and deploys successfully

Recommended Mitigation

Marking the contract as abstract prevents direct deployment and clarifies that it is intended only as a base contract.

- contract ERC20Internals {

+ abstract contract ERC20Internals {

mapping(address account => uint256) internal _balances;

mapping(address account => mapping(address spender => uint256)) internal _allowances;

uint256 internal _totalSupply;

string internal _name;

string internal _symbol;

// internal functions remain unchanged

}

Rewards breakdown

nSLOC

222

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!