Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Hyperbeat Pay>Discussion>Incompatible with nonstandard ERC-20 tokens
GeneralOverview
Findings
Critical (1)
Medium (3)
Low (7)
Informational (1)
Indeterminate (2)
DiscussionIncompatible with nonstandard ERC-20 tokensWithdrawal-fee bypass with dust amountsMissing token whitelist validation in ACTION_CUSTOM pathTest suite
DesignComponent: ManagementAccountComponent: ManagementAccountFactoryComponent: ServiceRegistryComponent: TokenWhitelistRegistryComponent: MorphoService
Audit ResultsAssessment Results

Incompatible with nonstandard ERC-20 tokens

The codebase is designed to work exclusively with standard-compliant ERC-20 tokens. Integrating tokens with nonstandard behaviors can lead to functional issues and increased risk. The following token characteristics are particularly problematic.

Missing return value. Some widely used tokens (such as USDT on Ethereum) do not return a boolean value for transfer or transferFrom calls as specified by the ERC-20 standard. Since the codebase explicitly checks for a true return value, these tokens will not function as intended and may cause transaction failures.

Fee on transfer. Certain tokens implement transfer fees that deduct a portion of the transacted amount. Such behavior disrupts internal balance accounting and can break core protocol invariants.

Reentrancy via callbacks. Tokens with callback hooks (e.g., ERC-777 tokens) can trigger external calls during transfers, increasing the attack surface. The current codebase is not designed to safely support such reentrant behaviors.

Given these incompatibilities, we recommend that only well-audited, standard ERC-20 tokens are whitelisted. Tokens with any of the features described above should be excluded to ensure protocol safety and correct operation.

Zellic © 2025Back to top ↑