Coinbase and ZenGo Spar Over QR Code Standards That Could Strand ERC-20 Tokens
Small problems, compounded by a lack of developer coordination, can have a huge impact on the safety of crypto users’ coins.
Case in point:
Wednesday, the head of security at ZenGo, a cryptocurrency wallet provider, tweeted out research showing that issues with QR codes generated by Coinbase.com’s app had resulted in some users sending funds to the contract address rather than to the intended wallet address within the app. This error effectively strands the funds, with no way to reverse the transaction.
The QR code issue ZenGo identified is based on a backward-compatibility issue between ERC-67 (the original QR URL format standard) and the newer EIP-681 standard. Coinbase uses EIP-681, creating compatibility issues between it and other wallets using the older standard.
“QR codes are a very problematic format for the cryptocurrency domain,” said Tal Be’ery, co-founder and security researcher at ZenGo. “As QR codes are not humanly readable, it’s hard for users to detect errors, introduced either by malice or by mistake. Due to the irreversibility of cryptocurrency, errors are usually fatal.”
That being said, QR codes can be more reliable and less prone to error overall than a human copying and pasting a wallet address.
This issue has affected some users within the last eight months and, according to Be’ery has likely been around longer. It was publicly reported in December 2020 as well.
The EIP and ERC QR code standards
ZenGo discovered the issue as part of its quality assurance process. Be’ery said the team was testing the ZenGo QR decoding module by feeding it QR codes, generated by a variety of wallets, and noticed the ZenGo app does not handle Coinbase app QRs for ERC-20 tokens, such as tether or dai.
ERC-20 tokens can typically be used to represent objects, give voting rights, pay transaction fees, crowdfund and incorporate new features into a token. ERC-20 is currently the most popular ERC token standard on Ethereum.
Once QR codes are decoded according to the older QR code URL standard used by ZenGo, the URL appears in the address field below the QR code as, essentially, “ethereum:<address>” followed by some optional parameters.
In the newer format, supported by Coinbase’s app, the decoded URL appears below the QR code as “ERC-20 ethereum:<contract address>/transfer?address=<recipient address>“.
This means that if developers are not careful with their implementation, an algorithm may decide to just take the first parameter as the relevant address to send to and ignore all others, according to Be’ery.
“When this ‘naive’ algorithm is applied on the newer format, it will cause the wallet user to erroneously send funds to the ERC-20 contract itself and not the intended recipient, resulting in money loss,” said Be’ery.
Be’ery tweeted out an example from Coinbase’s app, with the first address being the contract address rather than the wallet address.