openzeppelin-contracts
openzeppelin-contracts copied to clipboard
OpenZeppelin
ERC20 contract loses tokens sent to the contract's own address
🧐 Motivation Many people lose their ERC20 tokens by mistakenly sending their tokens back to the token contract address (presumably to redeem their tokens). However, there is no way to recover those tokens. https://np.reddit.com/r/ethereum/comments/sfz4kw/did_i_just_lose_half_a_million_dollars_by_sending/
📝 Details
ERC20 implementation should reject such transfers.
For example, we may add a require statement to the _transfer function in ERC20.sol.
function _transfer(
address sender,
address recipient,
uint256 amount
) internal virtual {
...
require(recipient != address(this), "ERC20: transfer to the token contract address");
...
}
This is a ERC20 version of locked-ether problem, where a contract has a payable function, but does not implement a way to withdraw.
Hello @duckki
The ERC20 standard doesn't prevent sending tokens to the contract itself, and there might be legitimate use-cases where users lock/stake their tokens that result in the contract transferring them to itself. I've also seen ERC20+ICO combo contracts where the tokens are minted and given to the contract itself, and can then be bought for ETH.
So I don't think we should include that by default for everyone.
On the other hand, we do encourage users to add these mechanisms, if they ever need it ... and we make that easy for them:
contract MyToken is ERC20 {
constructor() ERC20("MyToken", "MTK") {}
function _transfer(address sender, address recipient, uint256 amount) internal virtual {
require(recipient != address(this));
super._transfer(sender, recipient, amount);
}
}
Thanks, @Amxx . It makes sense. Can you point me to a documentation encouraging such a preventive measure? So, I can refer to. Otherwise, feel free to close this github issue.
