Reversing NFTs and Token Trading on Ethereum: ERC-20R and ERC-721R Interpretation

Posted by Kaili Wang, Stanford University

The immutability of blockchain transactions is a double-edged sword.

BAYC Phishing, PolyNetwork Attack, Harmony Bridge, Ronin Stolen, $14 Billion in Cryptocurrency Stolen in 2021 alone. These and more are undeniable thefts, but there is no “reverse button” (such as a credit card payment reversal), and not everyone has Jump Crypto to bail them out when needed.

But what if there was a reversible coin?

This is the question several people at Stanford (Dan Boneh, Qinchen Wang, and Kaili Wang) have been trying to answer for the past few months. We designed optional token standards similar to ERC-20 and ERC-721 and supported reversal transactions (when there was enough evidence to justify doing so), wrote a paper on them, and implemented some prototypes . We refer to these token standards as ERC-20R and ERC-721R, respectively.


Now, you might be thinking: reversible tokens? Isn’t that defeating the purpose of blockchain? Actually, no. It’s not meant to replace ERC-20 tokens or make ethereum reversible – it just allows a short window of time after a transaction to see if it’s a theft, and if so, restore the transaction.

Note that transactions can only be frozen for a short period of time (eg 3 days) before they become irreversible. For most of its life cycle, ERC-20R funds are irreversible.

Exchange reversibility

On exchanges, the exchange between two reversible tokens is instant; if one party requests a freeze, funds can be withdrawn from the other party regardless of whether the revocable time period has elapsed. However, to protect themselves from reversals, swapping reversible tokens for non-reversible tokens may allow exchanges to complete the swap only after the reversible time window has passed. This means that a reversible→irreversible swap will be delayed until the funds are irreversible. Therefore, once a few major tokens become reversible, other tokens are also under enormous pressure to be reversible.

Depending on the implementation, assets whose reversible time period has elapsed can be liquidated immediately (e.g. liquidation of assets you received 3 days ago). In this case, there need not be a delay between your reversible tokens and your irreversible tokens.

Here’s how it works:


Process for cancelling a transaction

Suppose an attacker steals funds from a victim. Funds may be further transferred to other addresses, as shown in Figure 1 below. The following happens:

1. The victim requests to freeze the stolen funds. The victim issues a freeze request to the governance contract, along with relevant evidence and some pledge. Disputed transactions must be recent (with a fixed reversible time period).

2. The judge accepts or rejects the freezing request. Decentralized judges vote to decide whether to freeze assets. This review period will take a maximum of one or two days. If they deny the request, the process stops and the victim loses their stake. If they accept the request, then the governance contract will call the freezeERC-20R/ERC-721R contract.

3. Execute freeze. For NFTs, it just prevents the NFTs from being transferred. For ERC-20R, it will track stolen funds and prohibit the transfer of those funds. Note that the account owner can still trade with others as long as the account owner’s balance remains above the frozen amount. This process can get complicated, which I will explain in the next section.

4. Judgment. Both parties can then provide evidence to a decentralized collection of judges. The final judge makes a decision, at which point they instruct the governance contract to call the reverse or rejectReverse functions of the affected ERC-20R or ERC-721R contract. If rejectReverse is called, unfreeze the disputed asset. Trials can be long and can take weeks.

5. Reversal, if the judge accepts the victim’s complaint. The reverse function sends the frozen assets back to the victim.


Figure 1: Example diagram.

Track Stolen Funds

When stolen, assets are rarely just in one place. Attackers often transfer hot assets from one account to another. In this case, an attacker could even monitor the mempool and move assets into front-running transactions when they see a freeze request coming in. Our solution to avoid this is to do the entire freeze (and its computations) on-chain in a single transaction, so that an attacker cannot “preempt” the freeze.

But we can’t just disable all accounts that touch assets, so how do we decide what to freeze and who to freeze? If it’s an NFT, luckily freezing is pretty simple: just look at who currently owns the NFT, and freeze the account. However, the divisibility of currencies complicates freezing ERC-20s. The funds can be distributed among dozens of accounts, put into anonymous mixers like Tornado, or exchanged for another digital currency. If it goes through many accounts, at least some of them will be associated with hackers. But some are likely innocent, or merchants offering legitimate services in exchange for payment. It is not always possible to correctly identify the guilt of each account. Therefore, we provide a default freezing process for tracking and locking stolen funds. Our algorithm ensures:

1. Assuming no burn, enough assets will be frozen to cover the amount of theft. (subtract the burned assets from the amount returned),

2. Account funds will only be frozen if the theft has a direct transaction flow, and

3. Compared to the transaction graph, the algorithm runs with reasonable runtime complexity.

We discuss more details of the algorithm in the paper.

Decentralized judicial system

The more obscure part of this proposal involves a “decentralized number of judges.” Who are these judges? How do they vote? How are they rewarded?

These logistics are ultimately up to governance, i.e. who creates the ERC-20R/ERC-721R instance. In our paper, we explore how to deter judge dishonesty and bribery, reward mechanisms, and more. We emphasize that judges cannot add transactions or modify balance values ​​at will.

In the paper, we discuss more details, such as how to reduce the risk of judge dishonesty, the impact on exchanges and mixers, related work, and an in-depth explanation of the algorithm and implementation. If you are interested, please read the original text, the original address:

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-09-26 10:32
Next 2022-09-26 10:34

Related articles