Approve Once, Regret Forever: On the Exploitation of Ethereum's Approve-TransferFrom Ecosystem

Smart contracts are immutable programs hosted on the blockchain that power decentralized applications. With the growth of decentralized finance (DeFi), many services interact with contracts that must be trusted to manage digital assets. To this end, several Ethereum standards (e.g., ERC20, ERC721) introduced an approval mechanism that allows decentralized applications to trade digital assets (or "tokens") on behalf of others. After receiving an approval, the (approved) application can invoke the token's transferFrom function to trade the approved tokens. Unfortunately, approved applications often contain vulnerabilities. If an attacker maliciously controls the parameters of a transferFrom call, they can steal not only the application's assets but also the assets of any user who previously approved the application. We refer to this widespread issue as Approved Controllable TransferFrom (ACT), which has already led to losses exceeding 65 million USD.

We present Osprey, an end-to-end system that detects ACT vulnerabilities and automatically generates proof-of-concept attacks. Our evaluation across the entire Ethereum ecosystem identified 32,582 potentially vulnerable contracts, with 410 confirmed exploitable at the time of writing. Our findings reveal previously unknown attack vectors threatening digital assets worth over 3.4 million USD.