apegurus/weird-tokens
skills/vulnerability-patterns/weird-tokens/SKILL.md
Non-standard ERC20 behaviors, integration pitfalls, and token-handling safeguards.
tools
Updated May 13, 2026
$ install --global
skillsauthnpx skillsauth add apegurus/solidity-argus weird-tokensInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 3:33 AM140.0s1 file scanned
SKILL.md
- name:
- weird-tokens
- description:
- approve usage requires allowance race and non-standard token handling checks
- pattern_category:
- token-standard
- - regex:
- \.approve\(
- severity:
- Low
- confidence:
- Low
<!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
Weird ERC20 Tokens Reference
Tokens that don't behave like standard ERC20. Integrating with these requires special handling.
Quick Reference Table
| Pattern | Example Tokens | Risk | Mitigation | |---------|---------------|------|------------| | Missing return values | USDT, BNB, OMG | Silent failures | SafeERC20 | | Fee on transfer | STA, PAXG, SAFEMOON | Balance mismatch | Measure before/after | | Rebasing | AMPL, stETH, OHM | Cached balance wrong | Don't cache balances | | Pausable | BNB, ZIL | DOS | Handle gracefully | | Blocklist | USDC, USDT | User funds frozen | Document risk | | Upgradeable | USDC, USDT | Behavior can change | Monitor upgrades | | Flash mintable | DAI | Infinite supply attacks | Check total supply | | Multiple addresses | TUSD | Accounting errors | Verify canonical address | | Low decimals | USDC (6), GUSD (2) | Precision loss | Handle decimals explicitly | | High decimals | YAM-V2 (24) | Overflow risk | Check bounds | | Approval race | USDT, KNC | Front-running | Set to 0 first | | Revert on zero | LEND | Unexpected reverts | Check amount > 0 | | Non-string metadata | MKR | Type errors | Handle bytes32 | | ERC777 hooks | imBTC | Reentrancy | Treat as untrusted |
Detailed Patterns
1. Missing Return Values
Tokens: USDT, BNB, OMG, BADGER
Problem:
// Returns nothing, but ERC20 interface expects bool
function transfer(address to, uint value) public {
// ... no return statement
}
Exploit:
// This compiles but fails at runtime for USDT
IERC20(usdt).transfer(to, amount); // Reverts: expected return data
Fix:
import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
using SafeERC20 for IERC20;
IERC20(usdt).safeTransfer(to, amount); // Works
2. Fee on Transfer
Tokens: STA, PAXG, SAFEMOON, most "reflection" tokens
Problem:
function transfer(address to, uint value) public returns (bool) {
uint fee = value * feePercent / 100;
_transfer(msg.sender, feeCollector, fee);
_transfer(msg.sender, to, value - fee);
return true;
}
Exploit:
// User deposits 100, protocol credits 100
// But only 98 actually arrived (2% fee)
// User can withdraw 100, stealing 2 from protocol
function deposit(uint amount) external {
token.transferFrom(msg.sender, address(this), amount);
balances[msg.sender] += amount; // WRONG!
}
Fix:
function deposit(uint amount) external {
uint balanceBefore = token.balanceOf(address(this));
token.transferFrom(msg.sender, address(this), amount);
uint received = token.balanceOf(address(this)) - balanceBefore;
balances[msg.sender] += received; // Credit actual amount
}
3. Rebasing Tokens
Tokens: AMPL, stETH (rebases), OHM, AAVE aTokens
Problem:
// Balance changes without any transfers
function rebase(int supplyDelta) external {
totalSupply = totalSupply + supplyDelta;
// All balances scale proportionally
}
Exploit:
// Protocol caches balance
uint cachedBalance = steth.balanceOf(address(this));
// ... time passes, rebase happens ...
// Cached balance is now wrong
// Can lead to accounting errors, insolvency
Fix:
- Don't cache balances
- Use wrapper tokens (wstETH instead of stETH)
- Track shares, not absolute amounts
4. Pausable Tokens
Tokens: BNB, ZIL, USDC (admin can pause)
Problem:
modifier whenNotPaused() {
require(!paused, "Paused");
_;
}
function transfer(address to, uint value) public whenNotPaused {
// ...
}
Impact:
- Protocol can be DOS'd if token pauses
- User funds stuck
- Liquidations fail
Fix:
- Have emergency withdrawal that doesn't rely on transfers
- Document risk to users
- Consider timelock on protocol side
5. Blocklist/Blacklist Tokens
Tokens: USDC, USDT (compliance blacklists)
Problem:
function transfer(address to, uint value) public {
require(!blacklisted[msg.sender], "Blacklisted");
require(!blacklisted[to], "Blacklisted");
// ...
}
Impact:
- Blacklisted users can't withdraw
- Protocol holding funds for blacklisted user is stuck
Fix:
- Document risk
- Consider allowing admin rescue to different address
- Use wrapper tokens where possible
6. Upgradeable Tokens
Tokens: USDC, USDT, many newer tokens
Problem:
- Token logic can change after integration
- New fee mechanisms could be added
- Pausability could be added
Impact:
- Your integration assumptions may break post-upgrade
Fix:
- Monitor token upgrades
- Have upgrade handlers in your protocol
- Test against upgraded implementations
7. Flash Mintable Tokens
Tokens: DAI (flash mint), some wrapped tokens
Problem:
function flashLoan(uint amount) external {
_mint(msg.sender, amount);
IFlashBorrower(msg.sender).onFlashLoan(amount);
_burn(msg.sender, amount);
}
Impact:
- Attacker can temporarily have infinite tokens
- Breaks governance (voting with flash minted tokens)
- Price manipulation
Fix:
- Use TWAP for prices
- Snapshot voting tokens before proposals
- Check totalSupply before/after for sanity
8. Approval Race Condition
Tokens: USDT requires setting to 0 first
Problem:
// USDT's approve reverts if allowance > 0 and newValue > 0
function approve(address spender, uint value) public {
require(value == 0 || allowance[msg.sender][spender] == 0);
// ...
}
Fix:
// Always set to 0 first
token.approve(spender, 0);
token.approve(spender, newAmount);
// Or use SafeERC20
token.safeIncreaseAllowance(spender, amount);
9. ERC777 Hooks (Reentrancy)
Tokens: imBTC, any ERC777
Problem:
// ERC777 calls hooks on sender and receiver
function _send(address from, address to, uint256 amount) internal {
_callTokensToSend(from, to, amount); // HOOK - reentrancy!
_transfer(from, to, amount);
_callTokensReceived(from, to, amount); // HOOK - reentrancy!
}
Impact:
- Reentrancy even without ETH transfers
- imBTC was exploited via this
Fix:
- Treat ERC777 transfers as untrusted external calls
- Apply CEI pattern
- Use ReentrancyGuard
Integration Checklist
When integrating any token:
- [ ] Check for missing return values (SafeERC20)
- [ ] Check for fee-on-transfer (measure actual received)
- [ ] Check for rebasing (don't cache balances)
- [ ] Check for pausability (emergency paths)
- [ ] Check for blocklists (document risk)
- [ ] Check for upgradeability (monitor changes)
- [ ] Check for flash minting (use TWAP)
- [ ] Check for ERC777 hooks (reentrancy guard)
- [ ] Check decimals (6, 8, 18, 24 all exist)
- [ ] Check approval behavior (set to 0 first for USDT)
Resources
- weird-erc20: https://github.com/d-xo/weird-erc20
- Token Integration Checklist: https://github.com/crytic/building-secure-contracts/blob/master/development-guidelines/token_integration.md
Related Skills
apegurus/vector-scan
testing
VerifiedTrustedCommunity
Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.
SKILL.mdUpdated May 30, 2026
apegurus/periphery
tools
VerifiedTrustedCommunity
Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.
SKILL.mdUpdated May 30, 2026
apegurus/math-precision
testing
VerifiedTrustedCommunity
Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.
SKILL.mdUpdated May 30, 2026
apegurus/invariant
testing
VerifiedTrustedCommunity
Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.
SKILL.mdUpdated May 30, 2026