Assessment Categories Reference
This document contains detailed assessment criteria for token analysis. Each category includes what to check, analysis methods, and verification checklists.
Overview
Assessment Categories Reference
This document contains detailed assessment criteria for token analysis. Each category includes what to check, analysis methods, and verification checklists.
1. GENERAL CONSIDERATIONS
What I'll check:
- Security review history
- Team contacts and transparency
- Security mailing list existence
I'll ask you:
- Has this token been audited?
- Is the team contactable?
- Is there a security mailing list?
Best practices:
- Interact only with reviewed tokens
- Maintain contact with token teams
- Subscribe to security announcements
2. CONTRACT COMPOSITION
What I'll analyze:
Complexity:
- Overall contract complexity
- Lines of code
- Inheritance depth
- Function count
- Use Slither's
human-summaryprinter
SafeMath Usage (pre-0.8 Solidity):
- Arithmetic operations protection
- Unchecked blocks justification
Non-token Functions:
- Functions beyond standard ERC interface
- Unnecessary complexity
- Use Slither's
contract-summaryprinter
Single Address Entry Point:
- Multiple addresses pointing to same token
- Proxy patterns that create multiple entry points
Checks:
- Contract avoids unnecessary complexity
- Contract uses SafeMath or Solidity 0.8+ (for Solidity)
- Contract has only a few non-token-related functions
- Token has only one address entry point
3. OWNER PRIVILEGES
What I'll check:
Upgradeability:
- Proxy patterns (UUPS, Transparent, Beacon)
- Implementation change mechanisms
- Use Slither's
human-summaryprinter
Minting Capabilities:
- Unlimited vs limited minting
- Minting access controls
- Total supply caps
Pausability:
- Pause mechanisms
- Who can pause
- Impact on existing holders
Blacklisting:
- Blocklist functionality
- Admin controls
- USDC/USDT-style blocklists
Team Transparency:
- Known team members
- Legal jurisdiction
- Accountability
Checks:
- Token is not upgradeable (or upgrade risks understood)
- Owner has limited minting capabilities
- Token is not pausable (or pause risks understood)
- Owner cannot blacklist addresses (or risks understood)
- Team is known and accountable
4. ERC20 CONFORMITY CHECKS
What I'll analyze:
Return Values:
transferreturns booltransferFromreturns bool- Missing returns (USDT, BNB, OMG pattern)
- False returns (Tether Gold pattern)
Function Presence:
name,decimals,symbolexistence- Optional functions handling
Decimals Type:
- Returns
uint8 - Value below 255
- Low decimals (USDC: 6, Gemini USD: 2)
- High decimals (YAM-V2: 24)
Race Condition Mitigation:
- ERC20 approve race condition
- Increase/decrease allowance pattern
- USDT/KNC approval protection
Slither Tools:
- Run
slither-check-ercfor automated checks - Run
slither-propto generate properties
Checks:
-
transferandtransferFromreturn boolean -
name,decimals,symbolpresent if used -
decimalsreturnsuint8with value < 255 - Token mitigates ERC20 race condition
- Contract passes
slither-check-erctests - Contract passes
slither-propgenerated tests
5. ERC20 EXTENSION RISKS
What I'll check:
External Calls in Transfers:
- ERC777 hooks
- Reentrancy risks
tokensReceivedcallbacks- Check for: Amp (AMP), imBTC patterns
Transfer Fees:
- Deflationary tokens
- Fee-on-transfer (STA, PAXG)
- Future fee risks (USDT, USDC can add fees)
- Balance checks after transfer
Interest/Yield Bearing:
- Rebasing tokens (Ampleforth)
- Airdropped governance tokens
- Compound-style interest
- Cached balance issues
Checks:
- Token is not ERC777 or has no external calls in transfer
-
transfer/transferFromdo not take fees - Interest earned from token is accounted for
6. TOKEN SCARCITY ANALYSIS
What I'll do:
For deployed tokens, I'll query on-chain data using web3/ethers:
Supply Distribution:
// Query holder distribution
// Check top 10 holders percentage
// Identify concentration risk
Total Supply:
// Query totalSupply
// Check if sufficient for manipulation resistance
// Identify low supply risk
Exchange Distribution:
// Query balance on major DEXs/CEXs
// Check if tokens concentrated in one exchange
// Identify single point of failure
Flash Loan Risk:
- Large fund attack potential
- Flash loan availability for this token
Flash Minting:
- Flash mint functions (DAI-style)
- Maximum mintable amount
- Overflow risks
Checks:
- Supply owned by more than a few users
- Total supply is sufficient
- Tokens located in more than a few exchanges
- Flash loan/large fund risks understood
- Token does not allow flash minting (or risks understood)
Note: I'll only perform on-chain analysis if you provide a contract address. Won't hallucinate if not applicable.
7. WEIRD ERC20 PATTERNS
I'll check for all 20+ known weird token patterns:
7.1 Reentrant Calls
- ERC777 tokens with hooks
- Transfer callbacks
- Historical exploits: imBTC Uniswap, lendf.me
Tokens: Amp (AMP), imBTC
7.2 Missing Return Values
- No bool return on transfer/transferFrom
- Some methods return, others don't
- False returns on success (Tether Gold)
Tokens: USDT, BNB, OMG, Tether Gold
7.3 Fee on Transfer
- Transfer fees (STA, PAXG)
- Future fee capability (USDT, USDC)
- Deflationary mechanics
Exploit: Balancer STA hack ($500k)
7.4 Balance Modifications Outside Transfers
- Rebasing tokens (Ampleforth)
- Governance airdrops (Compound)
- Mintable/burnable by admin
- Cached balance risks
7.5 Upgradable Tokens
- USDC, USDT upgradeability
- Logic change risks
- Freeze integration on upgrade
7.6 Flash Mintable
- DAI flash mint module
type(uint256).maxsupply risk- One-transaction minting
7.7 Blocklists
- USDC, USDT blocklists
- Admin-controlled blocking
- Contract trap risk
- Regulatory/extortion risk
7.8 Pausable Tokens
- BNB, ZIL pause functionality
- Admin pause risk
- User fund trap
7.9 Approval Race Protections
- USDT, KNC approval restrictions
- Cannot approve M > 0 when N > 0 approved
- Integration issues
7.10 Revert on Approval to Zero Address
- OpenZeppelin pattern
approve(address(0), amt)reverts- Special case handling needed
7.11 Revert on Zero Value Approvals
- BNB pattern
approve(address, 0)reverts- Approval reset issues
7.12 Revert on Zero Value Transfers
- LEND pattern
- Zero amount transfers fail
- Edge case handling
7.13 Multiple Token Addresses
- Proxied tokens with multiple addresses
- Address-based tracking broken
- Rescue function exploits
7.14 Low Decimals
- USDC: 6 decimals
- Gemini USD: 2 decimals
- Precision loss amplified
7.15 High Decimals
- YAM-V2: 24 decimals
- Overflow risks
- Liveness issues
7.16 transferFrom with src == msg.sender
- DSToken: no allowance decrease
- OpenZeppelin: always decrease
- Different semantics
7.17 Non-string Metadata
- MKR: bytes32 name/symbol
- Metadata consumption issues
- Type casting needed
7.18 Revert on Transfer to Zero Address
- OpenZeppelin pattern
- Burn mechanism broken
- Zero address handling
7.19 No Revert on Failure
- ZRX, EURS pattern
- Returns false instead of reverting
- Forgotten require wrapping
7.20 Revert on Large Approvals
- UNI, COMP: max uint96
- uint256(-1) special case
- Allowance mapping mismatch
7.21 Code Injection via Token Name
- Malicious JavaScript in name
- Frontend exploits
- Etherdelta hack pattern
7.22 Unusual Permit Function
- DAI, RAI, GLM non-EIP2612 permit
- No revert on unsupported permit
- Phantom function execution
7.23 Transfer Less Than Amount
- cUSDCv3 type(uint256).max handling
- Only balance transferred
- Vault accounting broken
7.24 ERC-20 Native Currency Representation
- Celo: CELO token
- Polygon: POL token
- zkSync Era: ETH token
- Double spending risks
Exploit: Uniswap V4 critical vulnerability
For each pattern I'll:
- Search for implementation
- Assess risk level
- Check integration safety
- Provide mitigation strategies
8. TOKEN INTEGRATION SAFETY
If analyzing a protocol that integrates tokens:
What I'll check:
Safe Transfer Pattern:
// Check for proper transfer handling
// Verify return value checking
// Look for SafeERC20 usage
Balance Verification:
// Check balance before and after
// Don't assume transfer amount = actual amount
// Fee-on-transfer protection
Allowlist Pattern:
// Contract-level allowlist
// Known good tokens
// UI-level filtering
Wrapper Contracts:
// Edge wrappers for external tokens
// Consistent internal semantics
// Isolation of weird behavior
Defensive Patterns:
- Reentrancy guards on token interactions
- Balance caching strategies
- Upgrade detection mechanisms
- Zero value handling
- Return value verification
9. ERC721 CONFORMITY CHECKS
What I'll analyze:
Transfer to 0x0:
- Should revert per standard
- Burning mechanism
- Token loss prevention
safeTransferFrom Implementation:
- Correct signature
- onERC721Received callback
- NFT loss to contracts
Metadata Functions:
name,symbolpresence- Can return empty string
decimalsreturnsuint8(0)if present
ownerOf Behavior:
- Reverts for invalid tokenId
- Reverts for burned tokens
- Never returns 0x0
Transfer Clears Approvals:
- Per standard requirement
- Approval state management
Token ID Immutability:
- ID cannot change during lifetime
- Per standard requirement
Checks:
- Transfers to 0x0 revert
-
safeTransferFromimplemented correctly -
name,symbolpresent if used -
decimalsreturnsuint8(0)if present -
ownerOfreverts for invalid/burned tokens - Transfers clear approvals
- Token IDs immutable during lifetime
10. ERC721 COMMON RISKS
What I'll check:
onERC721Received Callback:
- Reentrancy via callback
- safeMint risks
- External call ordering
Safe Minting to Contracts:
- Minting functions behave like
safeTransferFrom - Prevent NFT loss to contracts
- Handle contract recipients
Burning Clears Approvals:
- Burn function existence
- Approval clearing
- Approval state after burn
Checks:
-
onERC721Receivedcallback reentrancy protected - NFTs safely minted to smart contracts
- Burning tokens clears approvals
Slither Integration
Commands I'll Help Run
ERC Conformity Check:
# For ERC20
slither-check-erc [address-or-path] TokenName --erc erc20
# For ERC721
slither-check-erc [address-or-path] TokenName --erc erc721
Contract Analysis:
# Human-readable summary (complexity, upgrades, etc.)
slither [target] --print human-summary
# Function and modifier summary
slither [target] --print contract-summary
Property Generation:
# Generate test properties for Echidna/Manticore
slither-prop . --contract TokenName
Note: I'll adapt based on whether tools are available. I can work without Slither but recommend using it for Solidity projects.
On-chain Analysis Integration
Querying Deployed Contracts
If you provide a contract address, I can query on-chain data:
Setup:
// I'll use web3.js or ethers.js
const Web3 = require('web3');
const web3 = new Web3('RPC_URL');
Token Information:
// Query basic info
const name = await token.methods.name().call();
const symbol = await token.methods.symbol().call();
const decimals = await token.methods.decimals().call();
const totalSupply = await token.methods.totalSupply().call();
Holder Analysis:
// Query top holders
// Calculate concentration
// Identify whale risk
Exchange Analysis:
// Query balances on Uniswap, Curve, etc.
// Check centralization in single exchange
Configuration:
// Query owner/admin
// Check pause status
// Verify upgrade configuration
Note: I'll only perform on-chain queries if you provide an address and RPC endpoint. Won't hallucinate if not applicable.
Known Non-Standard Tokens Database
I have comprehensive knowledge of known non-standard tokens:
Missing Revert
- Basic Attention Token (BAT)
- Huobi Token (HT)
- Compound USD Coin (cUSDC)
- 0x Protocol Token (ZRX)
Transfer Hooks (Reentrant)
- Amp (AMP)
- The Tokenized Bitcoin (imBTC)
Missing Return Data
- Binance Coin (BNB) - only on
transfer - OMGToken (OMG)
- Tether USD (USDT)
Permit No-op
- Wrapped Ether (WETH)
Additional Non-Standard
- USDC: upgradeable, 6 decimals
- DAI: non-standard permit, flash mintable
- UNI, COMP: revert on large approvals (>= 2^96)
I'll check if your codebase interacts with any of these and verify proper handling.