ERC Compliance Absurdity #154
Comments
|
Agree that ERC non conformity findings should have to be paired with a suitable impact on how any non compliance would lead to issues. There's a clear incentive misalignment currently. The sponsors put forward large sums of money for wardens to find impactful vulnerabilities in their code, however in reality wardens stand to gain significantly more by spending hours ensuring the code meets every "MUST" in the EIP spec than they do finding high severity issues. This results in a tragedy of the commons situation where all the wardens have to spend time doing this (time that would otherwise be spent looking for high impact bugs), or risk a handful of wardens profiting from it alone. |
|
Contribute a rule in 4naly3er and these findings automatically become out of scope. You don't get rewarded for your effort, though. Bot races should also pick this up, unfortunately the current incentive structure makes this process slow because:
|
There has been a worrying trend where ERC compliance issues with absolutely ZERO impact get automatically accepted by judges as Medium just because it does not implement the "MUST" definition stated in the EIP.
To demonstrate how absurd this rule is, let me refer you to EIP-1155, according to EIP-1155,
https://eips.ethereum.org/EIPS/eip-1155
Therefore if we go by the above rule, if I find that a contract that claims to be ERC-1155 compliant and does not perform zero address checks in either
safeTransferFromandsafeBatchTransferFrom, according to the logic above, I claim it must get accepted as a valid medium because it "does not conform to the EIP spec".This is ridiculous and I propose judges should do their due diligence in assessing whether non-compliance will really result in potentially breaking any integrators and whether it warrants a medium severity instead of following the rule "not implementing the 'MUST' definition stated in the EIP" => Medium severity.
The text was updated successfully, but these errors were encountered: