95 Photos and videos
B20 inherits security problems of ERC-20 and will lead to a loss of millions of dollars of your customers funds
dexaran.github.io/erc20-loss…
ERC-20's lack of transaction handling is a security flaw that damages Ethereum ecosystem for years
B20 inherits the same security flaws
1
3
107
Dexaran retweeted
May 22
Come join in and talk with @Dexaran The man, the myth, the legend!!
x.com/i/spaces/1wxWjaeXWMQJQ
5
15
292
Dexaran retweeted
ERC-20 is the worst thing that ever happened to Ethereum. I hate it. I have had to built around it for years.
Thus, I wrote a hit piece on ERC-20.
Here's the TLDR on why the standard is terrible:
1.) You cannot attach information to a transfer
This makes programmatically building logic on erc20 payments impossible. That's really dumb.
2.) approve(). Self-explanatory.
3.) ERC-20 and Ether are both "coins", but they are different. This is very very very confusing for normies and makes for horrible UX.
Read my full hit piece on the worst standard in Ethereum history here: hugo0.com/blog/how-erc20-hel…
40
13
153
38,353
The TLDR with EOS is that Yves appointed a Chinese anti decentralisation chancer to run Labs, and entered into 50/50 MSIGs over vast sums of network funds. The two are now at loggerheads, and that puts the chain in a pretty dire situation.
Just shit leadership all round.
3
1
5
842
Dexaran retweeted
Jan 20
📕ERC-223
🔹É um padrão de tokens na Ethereum.
🔹Melhora a segurança face ao ERC-20.
🔹Evita perder tokens enviados a contratos errados.
🔹Valida o destino antes de transferir os tokens.
1
2
4
235
unpopular opinion of the day
but @Dexaran is right
@ethereum needs more intellectual honesty and less political alignment
about its flaws
few
ERC-20 is insecure by design.
It violates two of the most basic security principles:
- Error handling is a must (there is no transaction handling which makes error handling impossible)
- Secure defaults
> In ERC-20 the `transfer(..)` function is unhandleable
>> devs need a way to deposit tokens to contracts
>>> they implement another `approve(..) transferFrom(..)` pattern to do so
>>>>t hey leave `transfer(..)` unhandleable which makes the defaults of ERC-20 unsafe
>>>>> approve transferFrom incentivizes DAPP devs to ask for an unlimited approval since it makes UX and gas fees for their users better
>>>>>> users lose money but everyone blames them for making mistakes.... completely ignoring the fact that the root of the problem is the design of the standard and there are dozens of security researchers who are supposed to be competent enough to identify this
Whom to blame? - Every security researcher/auditor who didn't write that ERC-20 is an insecure standard.
What are they even doing if they don't expose violations of the most basic security principles while pretending to be security experts?
Hey @SEAL_911 how many articles have you written about the fact that ERC-20 violates well-known software security principles? What have you done in 8 years to PREVENT it?
If you design a piece of software and it violates 2 out of 8 most basic security principles guess what? - People lose money.
I've outlined it many times and even designed an alternative ERC-223 standard in 2017 to solve these problems and eliminate the need for approvals completely:
medium.com/dex223/erc-20-app…
dexaran820.medium.com/securi…
I've highlighted that ERC-20 design will inevitebly result in a loss of funds back during its finalization process github.com/ethereum/EIPs/pul…
There were less than $20K at that momen. This problem report was ignored for 8 years and now there are more than $100,000,000 lost because of the lack of error handling and billions lost because of approval-related problems: dexaran.github.io/erc20-loss…
Regarding approvals in ERC-20 standard (explanation: github.com/ethereum/ethereum…):
- The standard was proposed in 2015, there was 1024-call-stack-depth bug in EVM.
- Approve & transferFrom pattern was introduced to make tokens unaffected by this bug. It was not a smart design, it was a weird quirk to bypass bugs of EVM.
- 1024-call-stack depth bug was fixed in 2016 and rendered approvals unnecessary.
- In 2017 I proposed ERC-223 token standard which eliminates approvals completely.
8
1
13
29,913
ERC-20 is insecure by design.
It violates two of the most basic security principles:
- Error handling is a must (there is no transaction handling which makes error handling impossible)
- Secure defaults
Whom to blame? - Every security researcher/auditor who didn't write that ERC-20 is an insecure standard.
What are they even doing if they don't expose violations of the most basic security principles while pretending to be security experts?
If you design a piece of software and it violates 2 out of 8 most basic security principles guess what? - People lose money.
I've outlined it many times and even designed an alternative ERC-223 standard in 2017 to solve these problems and eliminate the need for approvals completely:
medium.com/dex223/erc-20-app…
dexaran820.medium.com/securi…
I've highlighted that ERC-20 design will inevitebly result in a loss of funds back during its finalization process github.com/ethereum/EIPs/pul…
There were less than $20K at that momen. This problem report was ignored for 8 years and now there are more than $100,000,000 lost because of the lack of error handling and billions lost because of approval-related problems: dexaran.github.io/erc20-loss…
Regarding approvals in ERC-20 standard (github.com/ethereum/ethereum…):
- The standard was proposed in 2015, there was 1024-call-stack-depth bug in EVM.
- Approve & transferFrom pattern was introduced to make tokens unaffected by this bug. It was not a smart design, it was a weird quirk to bypass bugs of EVM.
- 1024-call-stack depth bug was fixed in 2016 and rendered approvals unnecessary.
- In 2017 I proposed ERC-223 token standard which eliminates approvals completely.
Hello @OpenZeppelin how about adding a warning about the problems of ERC-20 just as I suggested 3 years ago github.com/ethereum/ethereum…?
Hello @TheSecureum @ChainSafeth how about writing an article to expose that ERC-20 violates well-known security principles, it is known for 8 years and people keep losing money because of that?
Hello @_SamWilsn_ how about allowing security problems to be written directly to the texts of EIPs under "SECURITY CONSIDERATIONS" section to avoid obscuring the most egregious security violations like this one: github.com/ethcatherders/EIP…? I know EIP editors don't want to judge whether something is a security flaw or not but may be we can warn people about the most obvious design flaws that result in financil losses and avoid a situation when it is known for 8 years and people keep losing money next time?
6
16
100
8,847
Ok, @tayvano_ @pcaversaccio @samczsun or @SEAL_911 can explain what happened. Thats nice.
What's the result? Did you get your money back?
- I assume you didn't.
ERC-20 is an insecure standard, it violates well-known basic security principles: dexaran820.medium.com/securi…
ERC-20 is insecure by design.
How many articles have @tayvano_ @pcaversaccio @samczsun or @SEAL_911 written explaining that this standard is inherently unsafe and should be avoided?
You're saying that they enable companies, and therefore the industry as a whole to safeguard itself - how successful this safeguarding is if we are using a standard which is insecure by design?
How successful it is if they all know about its security flaws but instead of advocating for a better standard they are doing something else and you lose $30K in 2025 because of the security problem that I exposed in 2017 github.com/ethereum/EIPs/pul… ?
Whats the level of security expertise of @SEAL_911 and all the above people if the industry as a whole suffers financial damage from security problems that were DISCOVERED, REPORTED and IGNORED for 8 years?
I spoke to @tayvano_ about the ERC-20 issues here:
- t.me/ETHSecurity/139479
- t.me/ETHSecurity/139513
She says "The problem is so complex to solve, nobody knows what to do" but is it really that hard to coordinate an ecosystem upgrade to solve a security problem which remains known for 8 years and keeps damaging Ethereum users over and over and over? Is it harder than coordinating an upgrade from POW to POS if @ethereum would step in?
I'd like to ask those security experts two questions:
- How many times did you declare that ERC-20 is insecure by design because it lacks transaction handling and its defaults are not fail-safe?
- What have you done to facilitate the upgrade to a better standard if the currently used on is inherently insecure?
They know that the problem exists for 8 years, I've personally disclosed and reported it, now its 2025 and people lost $100,000,000 because of the lack of transaction handling and billions because of approval-related problems: dexaran.github.io/erc20-loss…
But the root of the problem is very simple: if a standard violates well-known security practices - people lose money. Simple as that. You can't bandaid it, you need a secure standard instead.
1
2
4
402
RT @ChainReachCalls: 🎙NEXT ON CHAINREACH! 🎙
@Dex_223 x @ChainReachCalls
Dex223 is the first decentralized exchange that supports tokens…
22
Dexaran retweeted
29 Oct 2025
Ethereum is captured; a consequence of bad governance
That is why ETH does not scale its L1, due to L2 conflicts of interest!
We will be speaking with yet another ETH whistleblower tomorrow; @Dexaran
They ignored his warnings on ERC20 security in 2017 & time proved him right!
x.com/i/spaces/1eaKbjlLzyQKX
36
14
75
7,999
Dexaran retweeted
21 Oct 2025
TIL that more than $100M worth of ERC20 tokens have been lost due to Ethereum's poor engineering and UX.
People commonly send tokens to contracts that aren't written to handle holding tokens, blackholing the funds forever.
It's a flaw known about since 2017 but nothing has been done to correct it.
Ethereum in a nutshell.
8
6
55
3,927
I have a lot to say about #Ethereum's problems and what @peter_szilagyi is exposing resonates with me.
EF is censoring those who expose problems. They were deleting live questions on Devcon7SEA youtube.com/shorts/KJCs4jCBA…
EF is silencing security problems.
gist.github.com/karalabe/a2b…
1
3
10
867
Dex223 announces a pre-launch bugbounty program.
Test our UI on Sepolia or review the contracts test-app.dex223.io/en/swap
If you find a bug - you will be rewarded.
Details: blog.dex223.io/en/40b40033-2…
Apply & report github.com/rroland10/dex223-…
#ERC223 #Ethereum #ERC20 #DEX #bugbounty
4
6
24
1,321
Dexaran retweeted
21 Jul 2025
Surprised there's no mention of ERC-20's flawed design.. many of these losses (typos, buggy contracts, trapped ETH) are exactly why #ERC223 was proposed years ago by @Dexaran.
How long will @ethereumfndn keep ignoring safer token standards while billions in ETH vanish forever?
4
10
760
Dexaran retweeted
9 May 2025
How to Develop an ERC223 token?
💡 ERC223 is a secure, gas-efficient upgrade to ERC20. Learn how to develop your own ERC223 token step-by-step and avoid common pitfalls.
#ERC223Token #CryptoDevelopment #BlockchainDevelopment #devtechnosys
devtechnosys.com/insights/de…
3
8
394
Bybit $ETH cold wallet was drained.
x.com/benbybit/status/189296…
This thread is my investigation of the accident.
@Bybit_Official @benbybit #CryptoNews #security #hack
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transfered all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are secure.
All withdraws are NORMAL.
I will keep you guys posted as more develops, If any team can help us to track the stolen fund will be appreciated.
etherscan.io/tx/0xb61413c495…
5
9
31
7,006
So the roots of the problems are:
1. Gnosis msig is overcomplicated and requires sending signatures. Signatures are bad.
2. Signatures require a UI that generates them. What's the point of having 8 keys in msig if all keyholders use one program to generate signatures?
1
1
11
913
How about using a msig that allows your keyholders to cast their votes independently and then telling your keyholders to use different wallets so that you wouldn't lose all our money if one wallet gets compromised?
@benbybit fire that guy who recommended Gnosis msig. It's bad.
3
1
18
848