Unveiling Financially Risky Behaviors in Ethereum ERC20 Token Contracts

Decentralized Finance (DeFi) applications have attracted a recent surge in popularity. Token contracts underpin DeFi applications by managing liquidity. To regulate the interactions between token contracts and DeFi applications, token standards have been proposed to ensure predictable execution semantics and outcomes, thereby enabling reliable interoperability. However, there is no mechanism to prevent developers from customizing token contracts in ways that violate these standards. Even without malicious intent, such customizations pose severe risks to DeFi applications. Therefore, a comprehensive understanding of financially risky behaviors in token contracts is essential to better safeguard DeFi applications. To this end, we conduct the first systematic study that uncovers these behaviors and their concrete threats to DeFi applications. Specifically, we begin by constructing a taxonomy of nine financially risky behaviors in ERC20 token contracts. We then recognize the financial risks these behaviors pose to DeFi applications, which can result in significant financial losses, through a rigorous open-coding process on the real-world incidents of DeFi applications. To enable a large-scale study, we develop FRBScan, a novel tool that automatically identifies financially risky behaviors in ERC20 token contracts by combining Datalog analysis with token behavior inference heuristics. Our evaluation on a manually labeled dataset shows that FRBScan achieves 98.7% accuracy in identifying financially risky behaviors, with an average analysis time of just 4.73 seconds per contract. In contrast, the baseline tool Pied-Piper achieves only 72.5% accuracy while taking approximately 27.2 times longer, highlighting FRBScan’s superior efficiency and effectiveness. Leveraging FRBScan, we conduct a large-scale study of ERC20 token contracts in Ethereum, and find that each type of financially risky behavior is present in practice, with 65.8% of token contracts exhibiting at least one such behavior. These findings underscore the widespread prevalence of financially risky behaviors in practice, and highlight the substantial threats they pose to DeFi applications.