Skip to main content

Token Loss

What it detects

This detector identifies smart contract operations that can lead to the permanent loss of tokens due to unintended or misconfigured logic. Common issues include:

  • Sending tokens to address(0) or other inaccessible addresses
  • Using incorrectly specified burn mechanics
  • Executing transfers or burns based on unvalidated or user-controlled inputs
  • Failing to implement withdrawal or recovery functions for stuck assets

Once tokens are sent to a non-recoverable address, they are effectively burned and cannot be recovered, causing a permanent reduction in total supply and possible imbalance in protocol logic.

The detector looks for:

  • Transfers to hardcoded or user-supplied addresses without validation
  • Use of address(0) or address(this) as recipient
  • Implicit or accidental burn operations
  • Token mechanics that simulate burns by locking tokens in unreachable locations

Typical symptoms

  • Tokens sent to the zero address or other inaccessible addresses
  • Unexpected token supply reduction
  • Burn functions callable by unauthorized users
  • Users unable to retrieve mistakenly sent tokens
  • Loss of protocol funds due to logic flaws in token management

Solidity snippet (v0.8.25)

pragma solidity ^0.8.25;

interface IERC20 {
    function transfer(address recipient, uint256 amount) external returns (bool);
}

contract LostTokens {
    function burn(address token, uint256 amount) external {
        // Tokens may be lost if 'token' is incorrect or malicious
        // Hardcoded send to address(0) permanently removes them
        IERC20(token).transfer(address(0), amount);
    }
}

Safer Alternative

function safeBurn(address token, uint256 amount) external {
    require(token != address(0), "Invalid token address");
    require(amount > 0, "Burn amount must be positive");
    
    // Optional: enforce user balance limits, emit event
    bool success = IERC20(token).transfer(address(0), amount);
    require(success, "Transfer failed");
}

Why it matters on EVM

In the Ethereum Virtual Machine, token transfers are final, i.e., there’s no undo button. Sending tokens to the wrong address (e.g., address(0), which is commonly used to "burn" tokens) results in permanent and irreversible loss.

Unintentional token loss can:

  • Reduce total supply unexpectedly, disrupting tokenomics
  • Lock user or protocol funds in unrecoverable addresses
  • Undermine trust in the safety and professionalism of the smart contract
  • Lead to governance or liquidity imbalances in DeFi platforms

Smart contracts must validate token operations carefully, avoid relying on user-supplied addresses without checks, and provide fallback or withdrawal mechanisms wherever possible.