Thread by @alex_kroeger, (1/5) I was pretty excited to play around with the @ProjectSerum ERC20 [...]

(1/5) I was pretty excited to play around with the @ProjectSerum ERC20 deposit feature, but after digging into the smart contract code, I found it left a lot to be desired from a decentralization standpoint

(2/5) After using it to deposit an ERC20 token, I found the Ethereum contract behind it: https://etherscan.io/address/0xeae57ce9cc1984f202e15e038b964bb8bdf7229a

Contract Address 0xeae57ce9cc1984f202e15e038b964bb8bdf7229a | Etherscan

The Contract Address 0xeae57ce9cc1984f202e15e038b964bb8bdf7229a page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and...

https://etherscan.io/address/0xeae57ce9cc1984f202e15e038b964bb8bdf7229a

(3/5) My biggest concern is that it seems that the contract owner has the ability to withdraw any amount of ERC20 token or ETH stored in the contract.

(4/5) The owner appears to be just a normal EOA: https://etherscan.io/address/0x067d382e61c06cea2815069d9d97fd3ee5df2361, so whoever controls that address can drain the contract -- ~$6M in funds at this time.

Address 0x067d382e61c06cea2815069d9d97fd3ee5df2361 | Etherscan

The Address 0x067d382e61c06cea2815069d9d97fd3ee5df2361 page allows users to view transactions, balances, token holdings and transfers of both ERC-20 and ERC-721 (NFT) tokens, and analytics.

https://etherscan.io/address/0x067d382e61c06cea2815069d9d97fd3ee5df2361

(5/5) It also seems for someone to withdraw tokens they put into the contract, they need a signature from the contract owner as well--again, a great deal of power vested in the EOA owner.

You can follow @alex_kroeger.

Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: