Fairyproof’s Review of Risks Associated with the Recently Airdropped Tokens
Recently, starting from the airdrop of the SOS token, a series of token airdrops such as SOS, MASK, GAS, GDO, etc are sweeping the whole…
Recently, starting from the airdrop of the SOS token, a series of token airdrops such as SOS, MASK, GAS, GDO, etc are sweeping the whole crypto community.
A common feature that these airdrop events share is that the teams that launched these airdrops were not doing things based on their own stories but based on the stories of other popular projects. The SOS token was launched by OpenDAO and it airdropped to the OpenSea community. The MASK token was launched by MaskDAO and it airdropped to the MetaMask community. The GAS token was launched by GASDAO and it airdropped to the Ethereum community. The GDO token was launched by GroupDAO and it airdropped to active Twitter users.
These teams grabbed the traction of various communities by launching tokens and airdropping to the users that have interacted with these popular projects in the global crypto community.
A wide population in the global crypto community got these “free meals” and what these users need to do is simply go to these airdrop websites, connect their crypto wallets and press a “claim” button to claim the free tokens. With these airdropped “money” quite a few users were concerned whether or not they were safe or secure to claim since it is commonly believed that “there is no such thing as a free meal”.
Fairyproof’s technical team reviewed these airdropped tokens’ contracts and summarized some new findings from a technical point of view:
These tokens are implemented as ERC-20 tokens, but they are not standard ERC-20 tokens since they have additionally defined functions for token claim besides the standard ERC-20 functions. Here is the screenshot of an example code section:
2. Some token contracts such as MASK has functions related to token exchange.
3. These tokens use off-chain proofs to verify whether or not a user is qualified to claim tokens.
SOS, MASK, and GDO use an off-chain signature such as the code in the following screenshot:
And GAS uses an off-chain Merkle proof as follows:
Based on the above findings, users who want to explore the overall security of these tokens need to check both these tokens’ ERC-20 functions and their additional features.
With regard to the standard ERC-20 functions, a notable issue is whether or not the transfer related functions appropriately handle a transaction failure.
Pertaining to the additional functions, users need to check whether or not there might be potential issues or risks in its implementation details. For example, we found there is a “tax” users need to pay in MASK’s contracts when users do every token exchange involving the MASK token. Although this is not a security issue, users still need to consider whether they can afford this cost when doing token exchanges.
In respect of using an off-chain proof, a project that does so generally intends to save on gas. From a security perspective, it definitely adds complexity and makes processing these proofs more challenging. A signature replay attack could be a common risk.
So before rushing to claim these airdropped tokens, users do need to be more careful about their security and think it twice before enjoying these so-called rewards.
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.