Background: I would like to post my OP link to reddit here but discourse wouldn’t let me do. Please refer to my profile page, and look for the PSA post from me at reddit, I am reddit user u/cyanlink.
TL;DR: MetaMask should display a warning dialog when user try to send ERC-20 token to a Contract Address directly, here is my proposal:
WARNING
The recipient address you typed in is a Contract address.
Typically, if you want to give asset to a contract, you should use the dApp of the contract, usually in the form of a website, then follow the instructions there. NOT transferring it here.
We do not know if the recipient contract can handle a direct token transfer like what you are trying to do, or not. Usually, if it is an DeFi contract, or a token contract, it does not have the ability.
If that’s the case and you proceed, ALL ASSET SENT will be PERMANENTLY LOST, there is NO WAY to RECOVER.
Are you sure you want to proceed?
- Cancel (In Big Red Button).
- I want to proceed anyway.
Option 1: It’s my smart wallet. Mark it as my smart wallet address. Proceed.
Option 2: I’m very sure this is what I want to do. Proceed.
Full article:
A man just lost 195 WETH, by sending it back to WETH contract address, thinking it would return him raw ETH. He was mislead by introductions on Binance Academy (see original post on r/ethereum). Three more victims showed up today, losing 0.1 0.05 0.03 WETH respectively, check WETH contract addresses’ own WETH holding.
Since ERC-20 standard does not provide a way to notify contracts when they receive token transfers, and it does not mandate the contract the ability to send tokens back out, people who bring the real world common sense may think it wrongly as “I sent it to the account get Wrapped token, now I send it back I should get raw token back”, result in permanent unrecoverable loss.
The behavior is undefined in ERC-20 standard, and the outcome of tokens locked up in a contract is something neither user nor the contract willing to see.
We do not know if a contract can handle incoming ERC-20 token transfers correctly (maybe provide lost & found functions, or the ERC-20 token forbids sending to itself), unless we adopt ERC-777 standard, where contract/external address can register a callback to handle it.
Vitalik pointed out that Smart, Self-Custodial Wallets are Smart Contracts too, so we cannot ban all transfers to Contract Address all together. I suggest MetaMask on all platforms show a warning as shown above when user try to send any ERC-20 token to a Contract Address.
It might be the last chance before unrecoverable loss happens, for many users to realize that it is not the correct operation to do what they want to achieve.