Unveiling Financially Risky Behaviors in Ethereum ERC20 Token Contracts

Decentralized Finance (DeFi) applications have attracted a recent surge in popularity. Token contracts serve as the critical infrastructure of DeFi applications, managing fund liquidity and enabling the construction of diverse and complex services. To regulate the interactions between token contracts and DeFi applications, token standards have been proposed to ensure predictable and interoperable execution behaviors of token contracts. However, there is no mechanism to prevent developers from customizing token contracts in ways that violate these standards. Even without malicious intent, such customizations pose severe risks to DeFi applications. Therefore, a comprehensive understanding of financially risky behaviors in token contracts is essential to better safeguard DeFi applications. To this end, we conduct the first systematic study that uncovers these behaviors and their concrete threats to DeFi applications. Specifically, we begin by constructing a taxonomy of nine financially risky behaviors in ERC20 token contracts. We then recognize the real-world threats posed by these behaviors to DeFi applications through a rigorous open-coding process. To enable a large-scale study, we develop FRBScan, a novel tool that automatically identifies financially risky behaviors in ERC20 token contracts by combining Datalog analysis with precise heuristics. Our evaluation on a manually labeled dataset shows that FRBScan achieves nearly 100% accuracy in identifying financially risky behaviors, with an average analysis time of just 4.73 seconds per contract, significantly outperforming the baseline tool. Leveraging FRBScan, we conduct a large-scale study of ERC20 token contracts in Ethereum, and find that each type of financially risky behavior is present in practice, with 65.8% of token contracts exhibiting at least one such behavior. These findings underscore the widespread prevalence of financially risky behaviors in practice, and highlight the substantial threats they pose to DeFi applications.