Token Integration Analyzer

Token Integration Analyzer

Purpose

Systematically analyzes the codebase for token-related security concerns using Trail of Bits' token integration checklist:

• **Token Implementations**: Analyze if your token follows ERC20/ERC721 standards or has non-standard behavior
• **Token Integrations**: Analyze how your protocol handles arbitrary tokens, including weird/non-standard tokens
• **On-chain Analysis**: Query deployed contracts for scarcity, distribution, and configuration
• **Security Assessment**: Identify risks from 20+ known weird token patterns

**Framework**: Building Secure Contracts - Token Integration Checklist + Weird ERC20 Database

---

How This Works

Phase 1: Context Discovery

Determines analysis context:

• **Token implementation**: Are you building a token contract?
• **Token integration**: Does your protocol interact with external tokens?
• **Platform**: Ethereum, other EVM chains, or different platform?
• **Token types**: ERC20, ERC721, or both?

Phase 2: Slither Analysis (if Solidity)

For Solidity projects, I'll help run:

• `slither-check-erc` - ERC conformity checks
• `slither --print human-summary` - Complexity and upgrade analysis
• `slither --print contract-summary` - Function analysis
• `slither-prop` - Property generation for testing

Phase 3: Code Analysis

Analyzes:

• Contract composition and complexity
• Owner privileges and centralization risks
• ERC20/ERC721 conformity
• Known weird token patterns
• Integration safety patterns

Phase 4: On-chain Analysis (if deployed)

If you provide a contract address, I'll query:

• Token scarcity and distribution
• Total supply and holder concentration
• Exchange listings
• On-chain configuration

Phase 5: Risk Assessment

Provides:

• Identified vulnerabilities
• Non-standard behaviors
• Integration risks
• Prioritized recommendations

---

Assessment Categories

I check 10 comprehensive categories covering all aspects of token security. For detailed criteria, patterns, and checklists, see [ASSESSMENT_CATEGORIES.md](resources/ASSESSMENT_CATEGORIES.md).

Quick Reference:

• **General Considerations** - Security reviews, team transparency, security contacts
• **Contract Composition** - Complexity analysis, SafeMath usage, function count, entry points
• **Owner Privileges** - Upgradeability, minting, pausability, blacklisting, team accountability
• **ERC20 Conformity** - Return values, metadata, decimals, race conditions, Slither checks
• **ERC20 Extension Risks** - External calls/hooks, transfer fees, rebasing/yield-bearing tokens
• **Token Scarcity Analysis** - Supply distribution, holder concentration, exchange distribution, flash loan/mint risks
• **Weird ERC20 Patterns** (24 patterns including):
• Reentrant calls (ERC777 hooks)
• Missing return values (USDT, BNB, OMG)
• Fee on transfer (STA, PAXG)
• Balance modifications outside transfers (Ampleforth, Compound)
• Upgradable tokens (USDC, USDT)
• Flash mintable (DAI)
• Blocklists (USDC, USDT)
• Pausable tokens (BNB, ZIL)
• Approval race protections (USDT, KNC)
• Revert on approval/transfer to zero address
• Revert on zero value approvals/transfers
• Multiple token addresses
• Low decimals (USDC: 6, Gemini: 2)
• High decimals (YAM-V2: 24)
• transferFrom with src == msg.sender
• Non-string metadata (MKR)
• No revert on failure (ZRX, EURS)
• Revert on large approvals (UNI, COMP)
• Code injection via token name
• Unusual permit function (DAI, RAI, GLM)

<!-- truncated -->