-
Notifications
You must be signed in to change notification settings - Fork 11.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EIP-1363 support #3736
Comments
This comment was marked as off-topic.
This comment was marked as off-topic.
There is advanced work to do this in #3017. It's been delayed due to issues around interpretation of the spec. We'll get back to it as soon as priorities allow. |
I did my research on EIP-1363 and I'd like to provide my feedback. Response to the creator of the issue #3736
It is not true. ERC-223 is not superseded by EIP-1363 - those are two different standards that define different approach of implementing tokens. The main idea of ERC-223 is to create a token that will work exactly as Ether (native currency of Ethereum chain) works. There can be only one standard that behaves identical to Ether because Ether is Ether and it has only one logic. The problem of ERC-20 standard is now evident:
I am a security expert (proof of expertise) and the main goal of ERC-223 is to create the most secure and mistake-proof token as possible. At the same time it solves the problem of uniformity by making token behavior identical to Ether behavior.What goes wrong with ERC-223? Why is it not an adopted standard now?This is just an issue of adoption. ERC-223 could solve all the problems of ERC-20 in 2017, it is still completely sufficient to solve this problems today. I left the standard "as is" in 2018 and that was a mistake. I have created EIP-223, I wrote the reference implementation code and I thought "I will leave it here. Ethereum is full of smart guys, eventually they will solve the problem of token standards. My job is done!" I was building a lot of things on EOS after 2018 and changed the focus from Ethereum. EOS token standard for example inherits the logic of ERC-223 https://github.com/EOSIO/eosio.contracts/blob/master/contracts/eosio.token/src/eosio.token.cpp In particular this lines of code EOS tokens don't have any approvals at all because those are not necessary if you implement transaction handling logic. Recently I realized my job is definitely not done with Ethereum tokens - because the amount of lost funds increased significantly and there is no consensus about "what good standard looks like". A lot of new standards emerged and most of them implement some kind of transaction handling logic but they do it in so wrong way that they create even more problems without solving existing ones. This is probably because these implementations were designed without involving any security engineers. I also realized that ERC-223 is abandoned and considered "Draft which is not safe to work with" because nobody championed it. Now I understand that submitting a solution is far from enough - a strong champion in the community is absolutely necessary to push the adoption. What practices should we adhere to when designing token standards?
ERC-1363 will not be a good solution
ERC-1155 will not be a good solution
- Too much unnecessary code. Batch transfers can be a decent feature but we are talking about digital assets. Bitcoin exists. Ether exists. Tesla stock ($TSLA) exist. All those classes of assets do not require any batch transferring features to work. What ERC-1155 introduces is a very specific set of extensions that may be helpful in very specific situations but it is not a "standard for everyone to use".
NOTE: I'm not saying ERC-1155 is a bad standard. Among other standards it is the one that has some real utility behind it that other standards are missing. I'm saying that it is not suitable to become the global standard. My position regarding ERC-1155 is that we must aim for cross-standard operability by creating Token Converters - contracts that exchange 1:1 tokens of one standard for another and vice versa. ERC-777 will not be a good solution
ERC-223 authors commentI don't see any standard that solves the existing problems better than the one that I created 6 years ago. Most of the standard rely on deprecated transferring methods that should have been removed in 2016. I am planning to champion the ERC-223 and bring it to the final status and pursue its adoption because I don't see any viable alternatives emerging in the past 6 years.
ERC-223 Compatible DEXERC-20 swapHere is Here is ERC-223 swap
It takes only one transaction to swap ERC-223 tokens without approvals. And there is no need to worry about revoking approvals that were issued before. It should be noted that this is exactly the same contract that works with both ERC-20 and ERC-223 tokens at the same time and supports both methods of swap function invocation. Disclaimer
If I wanted “my standard to be recognized”, then I would have done it in 2017. I don't get paid for it, I don't earn anything from it other than headache. I am a dedicated security expert who wants the problem solved. People are losing money. And a lot of guys proposed their versions of "token standards" that do not solve any problems for the above mentioned reasons. References
The most common questions are:
|
Hey @Dexaran I'm very excited to see you here First of all, let me point out some facts:
using these statements it's easy to come to the conclusion that people will use standard at the final stage integrated into their favorite framework. while all of your arguments seem to be reasonable, the fact of the existence of erc1363 (and eip4524) means they are not enough on the other hand:
This basically means you should not worry about my custom implementation of erc998. I can easily switch back to erc223 when:
So I wish you luck, strength, and lots of community support to finish what was started back in the days |
I have pointed out what was not enough - marketing component of advertising the new standard. And I also pointed out why ERC-1363 and other existing standards are not a solution to the problem that ERC-223 solves.
My comment was mostly for OpenZeppelin staff as we discussed a critical vulnerability of ERC-20.sol implementation and they pointed me here stating that this proposal can be a solution. And I'm saying that in my opinion it is not a viable solution in its current state. |
I personally have no objections against ERC-1363 but if it is going to be supported I would recommend to re-define the logic of |
This thread is about EIP-1363 support and it's best to keep it that way. The standard is already finalized so there's no way to make changes to it, even by the original author. The EIP process is about ecosystem consensus and there seems to be demand for EIP-1363 while others are not yet finalized. We can see a significant amount of verified contracts including "ERC1363" The current issue with EIP-1363 is that the return value of |
That's great but it's as insecure as ERC-20. So there must be a clear restriction on So this standard inherits all the security problems of ERC-20 and I recommend:
Can't speak on the behalf of the "majority" but it is logical to examine the recipient and not to send via The specification of the EIP-1363 does not provide reference implementation or any description that declares token behavior in such scenarios. |
@Dexaran if you are serious about reviving erc223 please open a new thread, make an RP with implementation and I promise to test it against my codebase and give you feedback meanwhile, you can check how erc1363 is used in my system. bytes4 constant IERC1363_RECEIVER_ID = 0x88a7ca5c;
bytes4 constant IERC1363_ID = 0xb0202a11;
library ExchangeUtils {
using Address for address;
using SafeERC20 for IERC20;
function spendFrom(
address token,
uint256 amount,
address spender,
address receiver
) internal {
if (_isERC1363Supported(receiver, token)) {
IERC1363(token).transferFromAndCall(spender, receiver, amount);
} else {
SafeERC20.safeTransferFrom(IERC20(token), spender, receiver, amount);
}
}
function _isERC1363Supported(address receiver, address token) internal view returns (bool) {
return
(receiver == address(this) ||
(receiver.isContract() && _tryGetSupportedInterface(receiver, IERC1363_RECEIVER_ID))) &&
_tryGetSupportedInterface(token, IERC1363_ID);
}
function _tryGetSupportedInterface(address account, bytes4 interfaceId) internal view returns (bool) {
try IERC165(account).supportsInterface(interfaceId) returns (bool isSupported) {
return isSupported;
} catch (bytes memory) {
return false;
}
}
} @ernestognw that comment about EOA, man you just can't prevent people from shooting their foot |
@TrejGun can you show the code of |
yes this function comes from OZ framework |
this one doesn't have .isContract() implemented https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/Address.sol it seems |
well you are right it was recently removed |
Initially we were using a method for identifying which address is a EOA and which one is a contract that I proposed in 2017. We were assemblying the code and if it's length was non-zero then it was considered that examined address is a contract: https://github.com/Dexaran/ERC223-token-standard/blob/development/utils/Address.sol#L24
There is a caveat that must be taken into account: if you will call |
is there any difference in
and
rather than a few saved gas units |
I don't think there is any significant difference |
It's true we can't prevent people's mistakes, but we would prefer providing the simplest secure implementation. On one hand, if The pro of this approach is that reverting when calling EOAs is a behavior that can be implemented on top: if (target.code.length == 0) revert SomeError();
token.transferAndCall(target, amount); On the other side, if if (target.code.length == 0) {
token.transfer(target, amount);
} else {
token.transferAndCall(target, amount);
} I agree with @Amxx comment's that not reverting is the most efficient alternative because it leaves the However, because this approach still requires user checking, we may want to provide a Since there are EOA-reverting implementations out there, I'd think it's safer to just revert for EOAs and let the users check if it's an EOA or not. They'll most likely do it anyway for safety when interacting with untrusted tokens and the savings of avoiding the |
@ernestognw thanks for pointing out. The EIP was developed to add functionalities to ERC20 in order to be able to perform actions after transfers or approvals. Users who simply want to transfer tokens can continue to use the |
I see your intention was to revert, which in my opinion is what the EIP attempted to state. However, I think we've agreed the EIP is finalized and that should be our source of truth. It doesn't mention the EOA case at all, thus is an undefined behavior. Given a regular user can expect both behaviors, I think the best way to implement ERC1363 in OZ Contracts will be to pick one and provide a utility along with it to deal with the selected scenario:
Personally, I'd not revert to avoid the extra check @Amxx pointed out but given that there are multiple reverting implementations out there, I'd go for reverting and include a routing function as a utility (or maybe just docs recommendations). |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Basically, yes. Can you create an issue specific to ERC-223? |
🧐 Motivation
I was using ERC223 for some time with ERC998 but it seems to be obsolete and superseded by EIP-1363. It would be good to have the out-of-the-box implementation of a notification mechanism for receiving ERC20 tokens, the same as you have for ERC721 and ERC1155. We would like to use this standard for ERC998 tokens and for OZ VestingWallet contract.
📝 Details
The text was updated successfully, but these errors were encountered: