ERC-20 is the token standard that powers most of DeFi. Understanding how ERC-20 contracts work — and how they can go wrong — is fundamental to protecting yourself in crypto.
This guide covers the security landscape of ERC-20 tokens: what the standard does, what can be added on top of it, and how to evaluate any token before investing.
What Is ERC-20?
ERC-20 is a technical standard for fungible tokens on Ethereum and EVM-compatible chains (Base, Polygon, Arbitrum, Optimism). It defines six mandatory functions:
totalSupply() // Total tokens in existence
balanceOf(address) // Balance of an address
transfer(to, amount) // Send tokens
transferFrom(from, to, amount) // Send on behalf of another
approve(spender, amount) // Grant spending allowance
allowance(owner, spender) // Check approved amount
These six functions guarantee interoperability — any ERC-20 token works with any DEX, wallet, or DeFi protocol that supports the standard.
The security risk comes from what developers add on top of the standard.
The Security Risk Surface of ERC-20 Tokens
Owner-Controlled Functions
Most ERC-20 tokens add an owner — an address with privileged access. The OpenZeppelin Ownable contract is the most common pattern:
contract MyToken is ERC20, Ownable {
// Only owner can call these
function mint(address to, uint256 amount) public onlyOwner { ... }
function pause() public onlyOwner { ... }
function blacklist(address wallet) public onlyOwner { ... }
}
The owner is set at deployment and can be transferred or renounced. If ownership is renounced, no privileged functions can be called. If ownership is held by a single wallet, that wallet has total control.
Common Risk Functions
| Function | What It Does | Risk |
|---|---|---|
mint() | Creates new tokens | Can dilute supply infinitely |
burn() | Destroys tokens | Usually low risk |
pause() / unpause() | Freezes all transfers | Can trap holders |
blacklist() | Blocks specific wallets | Creates honeypot |
setTax() / setFee() | Changes transfer fee | Can be set to 99% |
excludeFromFee() | Exempts an address | Owner can exempt themselves before rugpull |
Proxy Upgradeable Patterns
What Is a Proxy?
A proxy contract is a two-layer architecture: a proxy (permanent address) that delegates calls to an implementation (the logic). The key danger is that the implementation can be replaced by the proxy owner — changing the token's behavior entirely.
Common proxy standards:
- EIP-1967 (Transparent Proxy) — Most common. Uses specific storage slots for implementation address.
- UUPS (Universal Upgradeable Proxy Standard) — Upgrade logic lives in the implementation.
- Beacon Proxy — Multiple proxies share one implementation via a "beacon."
Why Proxies Are a Risk
If a token is upgradeable, the owner can deploy a new implementation at any time that:
- Adds a mint function that didn't exist before
- Removes the transfer function (trapping all holders)
- Changes tax rates
- Adds a backdoor
Mitigating factors: Timelocks (48–72 hour delay on upgrades), multisig control, or DAO governance all reduce the risk of proxy abuse.
Liquidity Pool Security
When a token launches on a DEX like Uniswap, it creates a liquidity pool pairing the token with ETH or a stablecoin. The security question is: is the liquidity locked?
LP Token Flow
- Team deploys token
- Team provides initial liquidity to Uniswap
- Uniswap issues LP tokens to the team
- If LP tokens are NOT locked: team can withdraw all liquidity instantly
- If LP tokens ARE locked: liquidity cannot be removed until the lock expires
What to Look For
- LP tokens burned: Sent to 0x000...dead. This is permanent — the best outcome.
- LP tokens locked: Sent to a third-party locker (Uncx Network, Team Finance) with a time lock. Check the lock duration and unlock date.
- LP tokens in deployer wallet: Dangerous. They can be removed at any time.
Holder Concentration Risk
Token holder concentration is a measure of how distributed the supply is. High concentration means a few wallets can crash the price.
Key Metrics
- Top 10 holder percentage: Anything above 60% concentrated in 10 wallets is concerning.
- Deployer balance: Should be near zero after launch. Significant deployer holdings indicate pending sell pressure.
- Creator/insider wallets: Related addresses funded from the same source and holding collectively.
Sybil Wallets
A sybil attack in the context of token distribution means creating many wallets to make ownership look distributed, when they're all controlled by the same party. Clues:
- Multiple wallets funded from the same source in quick succession
- Wallets with similar transaction histories and ages
- Wallets that all bought at the same block
How to Evaluate a Token Contract
Step 1: Check Source Verification
Go to etherscan.io and paste the contract address. Is the contract verified? If not, stop here — you can't audit what you can't read.
Step 2: Identify the Ownership Model
- Is ownership renounced? (Owner =
0x000...0000) - Is it an EOA or a multisig?
- If a multisig, how many signers are required?
Step 3: Inventory Admin Functions
Read the contract and list every onlyOwner function. For each one, ask: "If this was called maliciously, what would happen?"
Step 4: Check for Proxy Pattern
Is there a delegatecall in the contract? Is there an implementation address? Look for _IMPLEMENTATION_SLOT or similar constants.
Step 5: Verify Liquidity Status
Check the LP token holder of the Uniswap pair. If it's a known locker contract, check the lock amount and duration.
Step 6: Review Holder Distribution
Pull the token holders list from Etherscan. What's the distribution? Has the deployer sold?
The Fast Way: Automated Scanning
Manual analysis is thorough but slow. For quick due diligence on any ERC-20 token, ChainRaven's free scanner automates all of the above:
- Fetches and analyzes the contract ABI
- Identifies all risk functions (mint, pause, blacklist, upgradeable proxy)
- Checks ownership status
- Pulls holder distribution
- Checks LP lock status
- Returns a 0–100 risk score with a per-signal breakdown
Use the scanner for initial screening, then do a deeper manual review for tokens you're seriously considering.
Summary: ERC-20 Security Checklist
Before investing in any ERC-20 token:
- Source code verified on Etherscan
- No mint function, or mint controlled by timelock/DAO
- No blacklist or honeypot mechanics
- No uncapped adjustable taxes
- Ownership renounced or held by multisig
- If proxy: timelocked upgrades, multisig control
- LP locked for 6+ months or burned
- Top 10 holders control <50% of supply
- Deployer balance is near zero
- Audited by a reputable firm
No checklist is a guarantee, but working through these points eliminates the vast majority of obvious scams.