[Ethereum] Problem with approve and transferFrom for making payments using ERC20 Token Contract

erc-20solidity

I have a contract that uses the ERC20 token contract for making payments. Now, in the ERC20 token contract we have the following implementation of approve function:

function approve(address _spender, uint256 _value) public returns (bool) {
    allowed[msg.sender][_spender] = _value;
    emit Approval(msg.sender, _spender, _value);
    return true;
}

The problem is that the msg.sender within the approve() function of ERC20 holds the address of the service contract (the contract that uses the ERC20 contract for making payments and not the address of the user who wants to make the payment). So, how do I let the approve function know the address of the user who wants to make the payment ?

The work-around for this is to call the approve function directly instead of via
another contract. Is this the way to do it ?

Best Answer

If you are using someone else's ERC20 token, then you will not be able to do this. The approve function in a standard ERC20 contract is made to use the msg.sender which, as you have noticed, will take the form of the calling address (like a contract), rather than the root address which initiated a transaction.

This is actually a way to prevent from attacks against the token. Imagine you could build a contract which a user calls, that triggers another ERC20 token and make some sort of change on behalf of the user. You could then use this behavior in a malicious function, where you trick the user to call your contract function, and then you steal all of their coins.

Because the approve function is written the way it is, the only way a user could have their tokens manipulated with, is through explicit action by that user directly to the token contract that they know about.

The approve function is actually made exactly for your kind of scenario, where the user can "approve" your contract address to spend some amount of tokens, and then you can build functions which can call transferFrom() to then interact with those tokens.

Now, you can build your own ERC20 token, which would allow for this exploit by replacing msg.sender with tx.origin which is always the root caller of the transactions (always an EOA), but as I mentioned above, this would leave you vulnerable to other contracts exploiting your choice.

I hope this helps.

Related Solutions

[Ethereum] API to “Read Contract Information” to fetch stats of an ICO

Which version of web3 are you using?

Here is a working example with web3@^1.0.0-beta.34

const Web3 = require('web3');
contractAddress = '0xe7775a6e9bcf904eb39da2b68c5efb4f9360e08c';
provider = 'https://mainnet.infura.io';
const contractAbiJSON = '';//... The JSON abi

// Init
const web3 = new Web3(new web3.providers.HttpProvider(provider));

const contract = new web3.eth.Contract(contractAbiJSON, contractAddress);

contract.methods.totalSupply().call().then((totalSupply) => {
  console.log(totalSupply);
});

[Ethereum] This contract does not implement all functions and thus cannot be created

The problem is that totalSupply() implementation is missing. Seems like autogenerated getters do not count. So you need to explicitly create the function.

contract StandardToken is Token {
    uint256 _totalSupply;

    function totalSupply() constant returns (uint256 totalSupply) {
        totalSupply = _totalSupply;
    }
}

Best Answer

Related Solutions

[Ethereum] API to “Read Contract Information” to fetch stats of an ICO

[Ethereum] This contract does not implement all functions and thus cannot be created

Related Topic