Token-0x

First Flight #54

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

ERC20 Contract Should Be Abstract

Author Revealed upon completion

ERC20 Contract Should Be Abstract + Medium

Description

Normal behavior: ERC-20 contracts intended for deployment must include mechanisms to mint tokens so that the token supply is functional.

Issue: This ERC20 contract exposes standard ERC-20 functions but does not invoke _mint or _burn, leaving total supply at zero. It is therefore not deployable as a usable token. Declaring it abstract would prevent accidental deployment and clarify developer intent.

contract ERC20 is IERC20Errors, ERC20Internals { @> // Should be abstract

constructor(string memory name_, string memory symbol_) {

_name = name_;

_symbol = symbol_;

}

function totalSupply() public view virtual returns (uint256) {

return totalSupply_();

}

function balanceOf(address owner) public view virtual returns (uint256) {

return _balanceOf(owner);

}

function transfer(address to, uint256 value) public virtual returns (bool success) {

success = _transfer(msg.sender, to, value);

}

function transferFrom(address from, address to, uint256 value) public virtual returns (bool success) {

address spender = msg.sender;

_spendAllowance(from, spender, value);

success = _transfer(from, to, value);

}

function approve(address spender, uint256 value) public virtual returns (bool success) {

address owner = msg.sender;

success = _approve(owner, spender, value);

}

function allowance(address owner, address spender) public view virtual returns (uint256) {

return _allowance(owner, spender);

}

Risk

Likelihood: Medium

Reason 1: Developers may deploy this contract thinking it is a fully functional ERC-20 token.
Reason 2: Automated deployment scripts may deploy it without realizing it cannot mint tokens.

Impact: Medium

Impact 1: Deploying this contract produces a zero-supply token with no ability to mint, which is effectively useless.
Impact 2: Could lead to confusion, wasted gas, and potential integration issues with dApps or wallets.

Proof of Concept

There is no way to mint tokens because _mint is never called.

ERC20 token = new ERC20("MyToken", "MTK");

uint256 supply = token.totalSupply(); // supply is 0

Recommended Mitigation

Marking the contract as abstract prevents direct deployment and clarifies that a derived contract must implement token minting logic.

- contract ERC20 is IERC20Errors, ERC20Internals {

+ abstract contract ERC20 is IERC20Errors, ERC20Internals {

constructor(string memory name_, string memory symbol_) {

_name = name_;

_symbol = symbol_;

}

Rewards breakdown

nSLOC

222

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!