Small problems, compounded by a lack of developer coordination, can have a huge impact on the safety of crypto users’ coins.
Case in point:
Wednesday, the head of security at ZenGo, a cryptocurrency wallet provider, tweeted out research showing that issues with QR codes generated by Coinbase.com's app had resulted in some users sending funds to the contract address rather than to the intended wallet address within the app. This error effectively strands the funds, with no way to reverse the transaction.
“QR codes are a very problematic format for the cryptocurrency domain,” said Tal Be'ery, co-founder and security researcher at ZenGo. “As QR codes are not humanly readable, it’s hard for users to detect errors, introduced either by malice or by mistake. Due to the irreversibility of cryptocurrency, errors are usually fatal.”
That being said, QR codes can be more reliable and less prone to error overall than a human copying and pasting a wallet address.
The EIP and ERC QR code standards
ZenGo discovered the issue as part of its quality assurance process. Be’ery said the team was testing the ZenGo QR decoding module by feeding it QR codes, generated by a variety of wallets, and noticed the ZenGo app does not handle Coinbase app QRs for ERC-20 tokens, such as tether or dai.
ERC-20 tokens can typically be used to represent objects, give voting rights, pay transaction fees, crowdfund and incorporate new features into a token. ERC-20 is currently the most popular ERC token standard on Ethereum.
Once QR codes are decoded according to the older QR code URL standard used by ZenGo, the URL appears in the address field below the QR code as, essentially, “ethereum:<address>” followed by some optional parameters.
In the newer format, supported by Coinbase's app, the decoded URL appears below the QR code as “ERC-20 ethereum:<contract address>/transfer?address=<recipient address>“.
This means that if developers are not careful with their implementation, an algorithm may decide to just take the first parameter as the relevant address to send to and ignore all others, according to Be’ery.
“When this ‘naive’ algorithm is applied on the newer format, it will cause the wallet user to erroneously send funds to the ERC-20 contract itself and not the intended recipient, resulting in money loss,” said Be’ery.
Be'ery tweeted out an example from Coinbase's app, with the first address being the contract address rather than the wallet address.
The EIP-681 standardhttps://eips.ethereum.org/EIPS/eip-681%23backwards-compatibility documentation acknowledges this problem, essentially stating that it’s backwards compatible for ETH but not ERC-20 payments.
'A terrible standard'
Coinbase did not supply a requested comment by press time but Pete Kim, head of engineering for the Coinbase Wallet replied to Be’ery’s tweet.
Be’ery said while Coinbase is not “wrong” because it is following some standard, the team at ZenGo believes it’s a classic case of "It’s better to be smart than to be right."
“When implementing a cross-wallet functionality such as QR codes that can be created by one wallet and consumed by another it’s better to use a ‘lowest common denominator’ attitude,” said Be’ery.
“Specifically, ZenGo creates QR codes which encode the address in a raw format (Trust wallet does it, too) that just specifies the address and nothing else. It’s basic and therefore leaves less room for mistakes and incompatibilities.”
Kim later corrected himself, noting that the new standard was being used on Coinbase's retail app, or their exchange app, rather than Coinbase Wallet, which is a noncustodial wallet app.
Kim went on to say this was a bug in ZenGo for not supporting the EIP-681 standard, noting that other wallets like Trust, Exodus, Crypto.com and Metamask all support EIP-681 correctly.
Choosing the right address
In the meantime, as a general rule, Be’ery said users who must use QR codes should verify transaction details before finally confirming the transaction. For example, searching an address on Etherscan will tell you whether the address is a contract address or a wallet address. Unfortunately checking which standards your preferred wallet supports is quite difficult.
All this may seem arduous for newcomers to the space who are unfamiliar with the contours of crypto, and it can be. However, it's something that may save them quite a bit of money and headaches in the long run.
“That’s why in ZenGo we augment our QR codes with some visual indicators on the coin/token type and also the address itself for easy comparison and verification,” Be'ery said.
"The most important thing with QR code reading is not getting confused by the different formats and standards, and it's better to fail in case of an unsupported format (as we do) and not try to 'guess' and put our customers' funds at risk. We may decide in future to support this format too, and then we will pick the 'right' address, so no funds [will be lost]."
Correction: Thursday, March 3, 2021, 16:00 UTC: The original version of this article stated that the issue was with the Coinbase Wallet. It has been amended to state that the problem is with wallet addresses within the Coinbase.com app.
Additional comments from Pete Kim of Coinbase Wallet have been added.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.