Skills › Blockchain & Web3 › Smart contracts
token-integration-analyzer
Token integration and implementation analyzer based on Trail of Bits' token integration checklist. Analyzes token implementations for ERC20/ERC721 conformity, checks for 20+ weird token patterns, assesses contract composition and owner privileges, performs on-chain scarcity analysis, and evaluates how protocols handle non-standard tokens. Context-aware for both token implementations and token integrations.
The full skill
—
name: token-integration-analyzer
description: Token integration and implementation analyzer based on Trail of Bits' token integration checklist. Analyzes token implementations for ERC20/ERC721 conformity, checks for 20+ weird token patterns, assesses contract composition and owner privileges, performs on-chain scarcity analysis, and evaluates how protocols handle non-standard tokens. Context-aware for both token implementations and token integrations.
—
# Token Integration Analyzer
## Purpose
Systematically analyzes the codebase for token-related security concerns using Trail of Bits' token integration checklist:
1. **Token Implementations**: Analyze if your token follows ERC20/ERC721 standards or has non-standard behavior
2. **Token Integrations**: Analyze how your protocol handles arbitrary tokens, including weird/non-standard tokens
3. **On-chain Analysis**: Query deployed contracts for scarcity, distribution, and configuration
4. **Security Assessment**: Identify risks from 20+ known weird token patterns
**Framework**: Building Secure Contracts – Token Integration Checklist + Weird ERC20 Database
—
## How This Works
### Phase 1: Context Discovery
Determines analysis context:
– **Token implementation**: Are you building a token contract?
– **Token integration**: Does your protocol interact with external tokens?
– **Platform**: Ethereum, other EVM chains, or different platform?
– **Token types**: ERC20, ERC721, or both?
### Phase 2: Slither Analysis (if Solidity)
For Solidity projects, I'll help run:
– `slither-check-erc` – ERC conformity checks
– `slither –print human-summary` – Complexity and upgrade analysis
– `slither –print contract-summary` – Function analysis
– `slither-prop` – Property generation for testing
### Phase 3: Code Analysis
Analyzes:
– Contract composition and complexity
– Owner privileges and centralization risks
– ERC20/ERC721 conformity
– Known weird token patterns
– Integration safety patterns
### Phase 4: On-chain Analysis (if deployed)
If you provide a contract address, I'll query:
– Token scarcity and distribution
– Total supply and holder concentration
– Exchange listings
– On-chain configuration
### Phase 5: Risk Assessment
Provides:
– Identified vulnerabilities
– Non-standard behaviors
– Integration risks
– Prioritized recommendations
—
## Assessment Categories
I check 10 comprehensive categories covering all aspects of token security. For detailed criteria, patterns, and checklists, see [ASSESSMENT_CATEGORIES.md](resources/ASSESSMENT_CATEGORIES.md).
### Quick Reference:
1. **General Considerations** – Security reviews, team transparency, security contacts
2. **Contract Composition** – Complexity analysis, SafeMath usage, function count, entry points
3. **Owner Privileges** – Upgradeability, minting, pausability, blacklisting, team accountability
4. **ERC20 Conformity** – Return values, metadata, decimals, race conditions, Slither checks
5. **ERC20 Extension Risks** – External calls/hooks, transfer fees, rebasing/yield-bearing tokens
6. **Token Scarcity Analysis** – Supply distribution, holder concentration, exchange distribution, flash loan/mint risks
7. **Weird ERC20 Patterns** (24 patterns including):
– Reentrant calls (ERC777 hooks)
– Missing return values (USDT, BNB, OMG)
– Fee on transfer (STA, PAXG)
– Balance modifications outside transfers (Ampleforth, Compound)
– Upgradable tokens (USDC, USDT)
– Flash mintable (DAI)
– Blocklists (USDC, USDT)
– Pausable tokens (BNB, ZIL)
– Approval race protections (USDT, KNC)
– Revert on approval/transfer to zero address
– Revert on zero value approvals/transfers
– Multiple token addresses
– Low decimals (USDC: 6, Gemini: 2)
– High decimals (YAM-V2: 24)
– transferFrom with src == msg.sender
– Non-string metadata (MKR)
– No revert on failure (ZRX, EURS)
– Revert on large approvals (UNI, COMP)
– Code injection via token name
– Unusual permit function (DAI, RAI, GLM)
– Transfer less than amount (cUSDCv3)
– ERC-20 native currency representation (Celo, Polygon, zkSync)
– [And more…](resources/ASSESSMENT_CATEGORIES.md#7-weird-erc20-patterns)
8. **Token Integration Safety** – Safe transfer patterns, balance verification, allowlists, wrappers, defensive patterns
9. **ERC721 Conformity** – Transfer to 0x0, safeTransferFrom, metadata, ownerOf, approval clearing, token ID immutability
10. **ERC721 Common Risks** – onERC721Received reentrancy, safe minting, burning approval clearing
—
## Example Output
When analysis is complete, you'll receive a comprehensive report structured as follows:
“`
=== TOKEN INTEGRATION ANALYSIS REPORT ===
Project: MultiToken DEX
Token Analyzed: Custom Reward Token + Integration Safety
Platform: Solidity 0.8.20
Analysis Date: March 15, 2024
—
## EXECUTIVE SUMMARY
Token Type: ERC20 Implementation + Protocol Integrating External Tokens
Overall Risk Level: MEDIUM
Critical Issues: 2
High Issues: 3
Medium Issues: 4
**Top Concerns:**
⚠ Fee-on-transfer tokens not handled correctly
⚠ No validation for missing return values (USDT compatibility)
⚠ Owner can mint unlimited tokens without cap
**Recommendation:** Address critical/high issues before mainnet launch.
—
## 1. GENERAL CONSIDERATIONS
✓ Contract audited by CertiK (June 2023)
✓ Team contactable via [email protected]
✗ No security mailing list for critical announcements
**Risk:** Users won't be notified of critical issues
**Action:** Set up [email protected] mailing list
—
## 2. CONTRACT COMPOSITION
### Complexity Analysis
**Slither human-summary Results:**
– 456 lines of code
– Cyclomatic complexity: Average 6, Max 14 (transferWithFee())
– 12 functions, 8 state variables
– Inheritance depth: 3 (moderate)
✓ Contract complexity is reasonable
⚠ transferWithFee() complexity high (14) – consider splitting
### SafeMath Usage
✓ Using Solidity 0.8.20 (built-in overflow protection)
✓ No unchecked blocks found
✓ All arithmetic operations protected
### Non-Token Functions
**Functions Beyond ERC20:**
– setFeeCollector() – Admin function ✓
– setTransferFee() – Admin function ✓
– withdrawFees() – Admin function ✓
– pause()/unpause() – Emergency functions ✓
⚠ 4 non-token functions (acceptable but adds complexity)
### Address Entry Points
✓ Single contract address
✓ No proxy with multiple entry points
✓ No token migration creating address confusion
**Status:** PASS
—
## 3. OWNER PRIVILEGES
### Upgradeability
⚠ Contract uses TransparentUpgradeableProxy
**Risk:** Owner can change contract logic at any time
**Current Implementation:**
– ProxyAdmin: 0x1234… (2/3 multisig) ✓
– Timelock: None ✗
**Recommendation:** Add 48-hour timelock to all upgrades
### Minting Capabilities
❌ CRITICAL: Unlimited minting
File: contracts/RewardToken.sol:89
“`solidity
function mint(address to, uint256 amount) external onlyOwner {
_mint(to, amount); // No cap!
}
“`
**Risk:** Owner can inflate supply arbitrarily
**Fix:** Add maximum supply cap or rate-limited minting
### Pausability
✓ Pausable pattern implemented (OpenZeppelin)
✓ Only owner can pause
⚠ Paused state affects all transfers (including existing holders)
**Risk:** Owner can trap all user funds
**Mitigation:** Use multi-sig for pause function (already implemented ✓)
### Blacklisting
✗ No blacklist functionality
**Assessment:** Good – no centralized censorship risk
### Team Transparency
✓ Team members public (team.md)
✓ Company registered in Switzerland
✓ Accountable and contactable
**Status:** ACCEPTABLE
—
## 4. ERC20 CONFORMITY
### Slither-check-erc Results
Command: slither-check-erc . RewardToken –erc erc20
✓ transfer returns bool
✓ transferFrom returns bool
✓ name, decimals, symbol present
✓ decimals returns uint8 (value: 18)
✓ Race condition mitigated (increaseAllowance/decreaseAllowance)
**Status:** FULLY COMPLIANT
### slither-prop Test Results
Command: slither-prop . –contract RewardToken
**Generated 12 properties, all passed:**
✓ Transfer doesn't change total supply
✓ Allowance correctly updates
✓ Balance updates match transfer amounts
✓ No balance manipulation possible
[… 8 more properties …]
**Echidna fuzzing:** 50,000 runs, no violations ✓
**Status:** EXCELLENT
—
## 5. WEIRD TOKEN PATTERN ANALYSIS
### Integration Safety Check
**Your Protocol Integrates 5 External Tokens:**
1. USDT (0xdac17f9…)
2. USDC (0xa0b86991…)
3. DAI (0x6b175474…)
4. WETH (0xc02aaa39…)
5. UNI (0x1f9840a8…)
### Critical Issues Found
❌ **Pattern 7.2: Missing Return Values**
**Found in:** USDT integration
File: contracts/Vault.sol:156
“`solidity
IERC20(usdt).transferFrom(msg.sender, address(this), amount);
// No return value check! USDT doesn't return bool
“`
**Risk:** Silent failures on USDT transfers
**Exploit:** User appears to deposit, but no tokens moved
**Fix:** Use OpenZeppelin SafeERC20 wrapper
—
❌ **Pattern 7.3: Fee on Transfer**
**Risk for:** Any token with transfer fees
File: contracts/Vault.sol:170
“`solidity
uint256 balanceBefore = IERC20(token).balanceOf(address(this));
token.transferFrom(msg.sender, address(this), amount);
shares = amount * exchangeRate; // WRONG! Should use actual received amount
“`
**Risk:** Accounting mismatch if token takes fees
**Exploit:** User credited more shares than tokens deposited
**Fix:** Calculate shares from `balanceAfter – balanceBefore`
—
### Known Non-Standard Token Handling
✓ **USDC:** Properly handled (SafeERC20, 6 decimals accounted for)
⚠ **DAI:** permit() function not used (opportunity for gas savings)
✗ **USDT:** Missing return value not handled (CRITICAL)
✓ **WETH:** Standard wrapper, properly handled
⚠ **UNI:** Large approval handling not checked (reverts >= 2^96)
—
[… Additional sections for remaining analysis categories …]
“`
For complete report template and deliverables format, see [REPORT_TEMPLATES.md](resources/REPORT_TEMPLATES.md).
—
## Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|—————–|—————-|—————–|
| "Token looks standard, ERC20 checks pass" | 20+ weird token patterns exist beyond ERC20 compliance | Check ALL weird token patterns from database (missing return, revert on zero, hooks, etc.) |
| "Slither shows no issues, integration is safe" | Slither detects some patterns, misses integration logic | Complete manual analysis of all 5 token integration criteria |
| "No fee-on-transfer detected, skip that check" | Fee-on-transfer can be owner-controlled or conditional | Test all transfer scenarios, check for conditional fee logic |
| "Balance checks exist, handling is safe" | Balance checks alone don't protect against all weird tokens | Verify safe transfer wrappers, revert handling, approval patterns |
| "Token is deployed by reputable team, assume standard" | Reputation doesn't guarantee standard behavior | Analyze actual code and on-chain behavior, don't trust assumptions |
| "Integration uses OpenZeppelin, must be safe" | OpenZeppelin libraries don't protect against weird external tokens | Verify defensive patterns around all external token calls |
| "Can't run Slither, skipping automated analysis" | Slither provides critical ERC conformance checks | Manually verify all slither-check-erc criteria or document why blocked |
| "This pattern seems fine" | Intuition misses subtle token integration bugs | Systematically check all 20+ weird token patterns with code evidence |
—
## Deliverables
When analysis is complete, I'll provide:
1. **Compliance Checklist** – Checkboxes for all assessment categories
2. **Weird Token Pattern Analysis** – Presence/absence of all 24 patterns with risk levels and evidence
3. **On-chain Analysis Report** (if applicable) – Holder distribution, exchange listings, configuration
4. **Integration Safety Assessment** (if applicable) – Safe transfer usage, defensive patterns, weird token handling
5. **Prioritized Recommendations** – CRITICAL/HIGH/MEDIUM/LOW issues with specific fixes
Complete deliverable templates available in [REPORT_TEMPLATES.md](resources/REPORT_TEMPLATES.md).
—
## Ready to Begin
**What I'll need**:
– Your codebase
– Context: Token implementation or integration?
– Token type: ERC20, ERC721, or both?
– Contract address (if deployed and want on-chain analysis)
– RPC endpoint (if querying on-chain)
Let's analyze your token implementation or integration for security risks!