Skip to main content
Sigvex

ERC-20 Standard Violations

Detects deviations from the ERC-20 token standard including missing return values, incorrect event signatures, and non-standard behavior.

ERC-20 Standard Violations

Overview

Remediation Guide: How to Fix ERC-20 Violations

The ERC-20 violations detector identifies token contracts that deviate from the ERC-20 standard specification. Common violations include: transfer/approve not returning a boolean, missing Transfer/Approval events, non-standard decimals return type, and transferFrom not reducing allowance.

Why This Is an Issue

Non-standard ERC-20 tokens break composability. DeFi protocols, DEXes, and wallets that expect standard behavior will malfunction:

  • Missing boolean return from transfer causes SafeERC20 calls to revert (USDT is a notorious example)
  • Missing events prevent off-chain indexers from tracking transfers
  • Non-standard allowance behavior breaks approval-based workflows

How to Resolve

Ensure full compliance with the ERC-20 specification, or use OpenZeppelin’s ERC20 implementation as a base.

Examples

Sample Sigvex Output

{
  "detector_id": "ERC20 Standard Violations",
  "severity": "medium",
  "confidence": 0.90,
  "description": "transfer() function does not return a boolean value as required by ERC-20. Callers using SafeERC20 will revert when interacting with this token.",
  "location": { "function": "transfer(address,uint256)", "offset": 0 }
}

Detection Methodology

  1. Selector matching: Identifies ERC-20 function selectors (transfer, transferFrom, approve, balanceOf, allowance, totalSupply).
  2. Return value analysis: Checks whether transfer/approve/transferFrom return a boolean.
  3. Event emission: Verifies Transfer and Approval events are emitted with correct topics.
  4. Allowance behavior: Checks transferFrom reduces allowance (or uses type(uint256).max as infinite approval).

Limitations

  • Well-known non-standard tokens (USDT, BNB) are intentionally non-compliant; the detector flags them for informational purposes.
  • Upgradeable tokens where the proxy returns differently from the implementation are analyzed at the proxy level.

References