EIPIP Meeting 87

[poojaranjan]

Date and Time

Aug 09, 2023 at 14:00 UTC

Location

Zoom: TBA in the Discord #eip-editing channel

YouTube Live Stream/Recording: https://www.youtube.com/playlist?list=PL4cwHXAawZxpLrRIkDlBjDUUrGgF91pQw

Agenda

1. Discuss Open Issues/PRs, and other topics

• Ethereum Improvement Proposal Charter
• Special number assignment
  • Add EIP: Public Non-Fungible Tokens Emote Repository ethereum/EIPs#7409
  • Update EIP-7401: Move to Review ethereum/EIPs#7414

Changes to Final proposals

(None)

2. Discussion continued or updates from past meetings

• EIP-ERC GitHub repositories?
  Ref: Task list for ERC/EIP Split
• Update EIP-1: EIP pain relief ethereum/EIPs#7230

3. EIPs Insight - Monthly EIPs status reporting.

• Hackmd
• EIPsInsight.com

4. EIP Editing Office Hour

• Agenda [Meeting 23]
• Recording Meeting 22

5. Review action items from earlier meetings

• [Summary]

[xuxinlai2002]

Hello @poojaranjan , wanted to discuss ethereum/EIPs#7231, please consider adding this to review process.

[poojaranjan]

Hi @xuxinlai2002,
The proposed item isn't a good fit for this meeting. It will be addressed in EIP Editing Office Hour Meeting 22.

[SamWilsn]

I'd like to throw this on before the ERC/EIP split please!

[SamWilsn]

There's also the special number assignments for:

• Add EIP: Public Non-Fungible Tokens Emote Repository ethereum/EIPs#7409
• Update EIP-7401: Move to Review ethereum/EIPs#7414

[abcoathup]

There's also the special number assignments

Any manual number assignment should be limited to discouraging number sniping.
I don't think we should create a precedent of assigning special numbers.

[Dexaran]

I would like to escalate a security issue

There is a flaw in ERC-20 token standard: it does not implement "transaction handling" but it is a critical part of the token logic. Here is the description: known problems of ERC-20.

This leads to monetary losses in the Ethereum ecosystem, and at least $130,000,000 worth of tokens are lost due to this vulnerability today.

I discovered this problem in 2017 and I reported it multiple times.

• It caused people to lose $13K when I first reported it.

• Then it became $16K when I reported it and had a discussion with Ethereum Foundation members.

• Then it became $1,000,0000 in 2018.

• Then the author of ERC-20 standard stated he doesn't want to use it in his new project (probably because he knows about the problem of lost funds...).

• And today there are $130,000,000 lost - my reddit post is censored and here is a copy https://gist.github.com/Dexaran/0b2df0a6ad9a2092fe0b768813669982

Ethereum Foundation didn't make any statement about this so far. This issue fits in "critical severity security vulnerability" according to OpenZeppelin bug bounty criteria OpenZeppelin/openzeppelin-contracts#4474

I think this is a precedent of "Security Vulnerability Discovery in a 'final' EIP"

• Can we update ERC-20?
• Can someone escalate it to Ethereum Foundation once again?
• Can we assign a badge "A vulnerability is discovered in this EIP" to ERC-20 here https://eips.ethereum.org/EIPS/eip-20 ?

Other related publications

Here is a security statement on ERC-20: https://callisto.network/erc-20-standard-callisto-network-security-department-statement/

It is considered a "Vulnerability Disclosure" by r/Cybersecurity: https://www.reddit.com/r/cybersecurity/comments/15ejbjs/erc20_standard_callisto_security_department/

It is censored by r/ethereum with a reason "It is not related to Ethereum ecosystem": https://www.reddit.com/r/ethereum/comments/15ej9zk/erc20_standard_callisto_security_department/

You can find a full history of all the related discussions under "Events Timeline" at ERC-223 page here: https://dexaran.github.io/erc223/

[SamWilsn]

• Can we update ERC-20?
• Can we assign a badge "A vulnerability is discovered in this EIP" to ERC-20 here https://eips.ethereum.org/EIPS/eip-20 ?

Generally, no. We do document management, and not vulnerability disclosure. Even if we did put a warning on ERC-20 like "there are known weaknesses in this standard" it wouldn't force anyone to migrate to a new token.

• Can someone escalate it to Ethereum Foundation once again?

I mean... I'm employed by the Ethereum Foundation. What are you looking for from the EF? I can pass the message on to the relevant person.

[poojaranjan]

Summary

1. Discuss Open Issues/PRs, and other topics

Ethereum Improvement Proposal Charter

• most of the editors were in agreement with the Mission statement
• Decision: part of the hackmd could be a PR to EIP-1 and part of them could be a PR to EIP-5069
• @SamWilsn @gcolvin will have a meeting to decide what goes where and will be shared with the rest of the editors in the next meeting.

Special number assignment

• All of the editors agreed to NOT make an exception to the policy in place. EIP Authors should expect sequential numbering after 7500.

2. Discussion continued or updates from past meetings

EIP-ERC GitHub repositories

• Decision: EIP Editors on the call agreed to a structural split where at the organizational level, working will be the same as it is now.
• @lightclient will make changes to Move ERCs to separate repository ethereum/EIPs#7206 so it can be further discussed and merged.
• @shemnon will change the status of https://eips.ethereum.org/EIPS/eip-7329 to Review to give some room for further suggestions. With changes (if any), the proposal will be moved forward.

ethereum/EIPs#7230

@SamWilsn @gcolvin will have a meeting to split the PR and bring new/updated PRs to be shared with the rest of the editors in the next meeting. Any editors interested to join the meeting may reach Sam or Greg.

3. EIPs Insight - Monthly EIPs status reporting.

Hackmd

• ERC-6492: Signature Validation for Predeploy Contracts Ref: PR has LastCall ending on Aug 28, 2023. Please reach out to EIP author on FEM page if you have any change suggested for the proposal.

[Dexaran]

@SamWilsn @poojaranjan

Can we update ERC-20?
Generally, no.

So we have a process that doesn't allow changes upon vulnerability disclosures? Like... nobody ever expected that there can be a security vulnerability in any of the existing EIPs?

Even if we did put a warning on ERC-20 like "there are known weaknesses in this standard" it wouldn't force anyone to migrate to a new token.

Yes it will not force anyone to do anything but I believe it is really important to let developers and community members know about the problem. If the problem becomes more publicly known, then more people will be able to avoid losing funds.

As the amount of funds lost due to this problem is at least $130M which exceeds the recent Curve hack twitce and there is no potential limit on how much damage it can cause in the future - I believe it is necessary to publicly highlight the problem.

I think that:

• a label must be placed on ERCP-20 here https://eips.ethereum.org/EIPS/eip-20
• Ethereum Foundation must release their statement regarding this issue
• Probably some statement regarding the $130M loss must be released - can these funds be recovered? Is there a way to refund it? Who should be responsible for it - token contract developers, authors of the standard, auditors?

https://en.wikipedia.org/wiki/Security_through_obscurity#Criticism

What are you looking for from the EF? I can pass the message on to the relevant person.

1. Stop censoring my posts. I am highlighting an existing problem of the ecosystem and instead of getting a response I'm just getting silenced. This one is the best example https://www.reddit.com/r/ethereum/comments/15hdz96/today_at_least_130m_worth_of_tokens_are_lost/
2. Take a look at the existing issue. People are losing money. Right now. $130M worth already lost. Can you at least release a statement about it?
3. May be they can do something really helpful to solve the problem of their users losing $130M? For example develop a better token standard? Or coordinate an ecosystem upgrade?
4. Also what is going on with ethereum.org development? Read this comment thread Re-add ERC-223 to token standards. ethereum/ethereum-org-website#10854 I am developing a solution to this exact problem of financial losses of Ethereum users and my proposal gets removed from the documentation because the moderator had "personal unexplainable feeling that I'm doing it wrong" - is it how it is supposed to be?
5. Can we recover the lost tokens with a hardfork? I think $130M loss is enough to start the recovery process especially given that this result was quite predictable and everyone knew about it. I personally highlighted this threat in 2017 here ERC20 Token Standard ethereum/EIPs#610 (comment)

[SamWilsn]

So we have a process that doesn't allow changes upon vulnerability disclosures?

The EIP process isn't built for that, no. For example, changing ERC-20 today can't change all the existing ERC-20 implementations on-chain. Many of them are not upgradeable. ERC-20 remains as it was when it was finalized to capture the specification those contracts were written against.

New tokens can use whatever standard they want, be it ERC-223, ERC-777, or ERC-1155.

Like... nobody ever expected that there can be a security vulnerability in any of the existing EIPs?

I do agree we need a process for this, but one doesn't really exist today.

• a label must be placed on ERCP-20 here https://eips.ethereum.org/EIPS/eip-20

This part is certainly something we can discuss on the next EIPIP call, which is on August 23rd at 10:00 am ET. It would be best if you're able to make it, but I'll mention it either way.

• Ethereum Foundation must release their statement regarding this issue
• Probably some statement regarding the $130M loss must be released - can these funds be recovered? Is there a way to refund it? Who should be responsible for it - token contract developers, authors of the standard, auditors?

These are somewhat out of scope for the EIP project.

1. Stop censoring my posts. I am highlighting an existing problem of the ecosystem and instead of getting a response I'm just getting silenced. This one is the best example https://www.reddit.com/r/ethereum/comments/15hdz96/today_at_least_130m_worth_of_tokens_are_lost/

This is something you'll need to take up with the mods of /r/ethereum. I don't think the EF has a direct hand in the management of that subreddit (but I might be mistaken.)

For 2, 3, and 4: I've forwarded your concerns.

5. Can we recover the lost tokens with a hardfork? I think $130M loss is enough to start the recovery process especially given that this result was quite predictable and everyone knew about it. I personally highlighted this threat in 2017 here

This is something you could write an EIP for (see EIP-779 for a somewhat outdated example.) You'd still need to raise support for the proposal on AllCoreDevs. It is my understanding that hardforks to undo problems on the application layer are unlikely to gain traction nowadays, but YMMV.

[Dexaran]

Thank you for a reply @SamWilsn

I do agree we need a process for this, but one doesn't really exist today.

This certainly needs to be created

a label must be placed on ERCP-20 here https://eips.ethereum.org/EIPS/eip-20

This part is certainly something we can discuss on the next EIPIP call, which is on August 23rd at 10:00 am ET. It would be best if you're able to make it, but I'll mention it either way.

I will try to assign my team member to this and let them represent me on a call.

5. Can we recover the lost tokens with a hardfork? I think $130M loss is enough to start the recovery process especially given that this result was quite predictable and everyone knew about it. I personally highlighted this threat in 2017 here

This is something you could write an EIP for (see EIP-779 for a somewhat outdated example.) You'd still need to raise support for the proposal on AllCoreDevs.

Could you also escalate it to Ethereum Foundation if possible?

[SamWilsn]

Could you also escalate it to Ethereum Foundation if possible?

AllCoreDevs is the correct place to escalate fork proposals.

[poojaranjan]

Closing in favor of #257