While the recently launched, experimental, and unofficial ERC-404 token standard has been swiftly spreading across the Ethereum network, it seems that its rushed development may now be backfiring.
ERC-404 tokens, with Pandora at the forefront, have taken Ethereum by storm over the past week, reaching an astonishing market cap of over $300 million in just a few days. Traders’ initial frenzy over ERC-404 tokens was so overwhelming that it even led to a spike in gas fees.
However, since the initial wave of excitement, a developer known as 'quit' has discovered potential vulnerabilities in the new standard. While ERC-404 aims to combine the features of ERC-721 and ERC-20 tokens, issues allegedly arise in functions that are shared between the two standards.
ERC404 has taken X by storm. Many have called it out for misusing the ERC label, and rightfully so, but let's take a moment to discuss another aspect of it: composability.
— quit (👀,🦄) (@0xQuit) February 8, 2024
Is it safe?
1/🧵 pic.twitter.com/Oyj1Zs3gMa
In particular, 'quit' pointed out that the ERC-404 contract’s transferFrom function might be improperly set up in an application (such as a custodial exchange or lending protocol) using a shared vault for both token types. This poses a risk that a user could request a withdrawal of ERC-20 tokens with the same value as an ERC-721 token ID, causing the protocol to interpret the request as an NFT transfer. The developer noted:
“This is an exploit that I fully expect to see in the wild at some point if ERC-404s remain popular.”
To address these concerns, 'quit' and a cohort of several other developers have suggested a new token standard, called DN-404, although it should be noted that this is also unofficial and experimental. DN stands for “Divisible NFT” and also seeks to be a hybrid of the ERC-20/721 tokens, yet with more thorough consideration and a resolution for the ERC-404 transferFrom issue.
According to its creators, DN404 was designed in a way that keeps ERC721 and ERC20 functions separate from the start, even though they are still connected. This means that both types of digital tokens work on their own but share the same underlying '404' system, thus helping to avoid problems with shared functions.
Notably, the developers behind DN-404 have chosen not to capitalize financially from the new standard by launching their own token. Instead, they have released the contract on GitHub, allowing anybody to create DN-404 tokens. They have also issued a disclaimer, warning that although the contract is designed to rectify the shortcomings of ERC-404, it has not been formally audited so is to be used with caution, thus absolving them of responsibility for any potential losses.
The ERC-404 team’s response to the allegations of potential security vulnerabilities has unsurprisingly been less than enthusiastic. Reports suggest tensions between the creators of ERC-404 and the developers of DN-404. The ERC-404 team contended that 'quit' had misused the standard, thereby introducing a vulnerability, and stated that they were already reviewing a more mature iteration of the standard that addresses the issue.
