API Reference

Hidden Balance Update

Suspicious and/or malicious balance updations.

What is Balance?

Lets say a user A (0x123…456) holds token (ie. USDC). If he holds 1000 USDC, it means user A’s balance of USDC is 1000

  • balanceOf(0x123...456) = 1000

Malicious Balance Updation

Balance is usually updated during the invocation of mint, burn, and transfer. Any other update of the user's balance is directly not encouraged, and will be considered malicious. This is similar to tampering with your bank balance without your direct intervention.

Above is a basic ERC20 contract, with a additional function change_balance().

The function change_balance() looks simple but has direct access to write/update balances which is dangerous for the security of the contract.

Exploit Case

Let the above be the token contract of Token ABC.

  • User A (0x123…456) holds 1000 ABC tokens
  • Anyone can call change_balance() to update userA’s balance.
    • change_balance(0x123...456 , 100) will update userA’s balance to 100

Conclusion

The API identifies and flags contracts and respective functions contributing towards malicious and inappropriate updation of token balances.