McCoady
commented
8 months ago Agree that ERC non conformity findings should have to be paired with a suitable impact on how any non compliance would lead to issues.
There's a clear incentive misalignment currently. The sponsors put forward large sums of money for wardens to find impactful vulnerabilities in their code, however in reality wardens stand to gain significantly more by spending hours ensuring the code meets every "MUST" in the EIP spec than they do finding high severity issues.
This results in a tragedy of the commons situation where all the wardens have to spend time doing this (time that would otherwise be spent looking for high impact bugs), or risk a handful of wardens profiting from it alone.
ryanjshaw
There has been a worrying trend where ERC compliance issues with absolutely ZERO impact get automatically accepted by judges as Medium just because it does not implement the "MUST" definition stated in the EIP.
To demonstrate how absurd this rule is, let me refer you to EIP-1155, according to EIP-1155,
https://eips.ethereum.org/EIPS/eip-1155
Therefore if we go by the above rule, if I find that a contract that claims to be ERC-1155 compliant and does not perform zero address checks in either
safeTransferFromandsafeBatchTransferFrom, according to the logic above, I claim it must get accepted as a valid medium because it "does not conform to the EIP spec".This is ridiculous and I propose judges should do their due diligence in assessing whether non-compliance will really result in potentially breaking any integrators and whether it warrants a medium severity instead of following the rule "not implementing the 'MUST' definition stated in the EIP" => Medium severity.