Coinbase and ZenGo Spar Over QR Code Standards That Could Strand ERC-20 Tokens

Users who must use QR codes should verify transaction details before finally confirming the transaction to save themselves money and headaches.

AccessTimeIconMar 25, 2021 at 1:42 p.m. UTC
Updated Aug 19, 2021 at 8:20 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Small problems, compounded by a lack of developer coordination, can have a huge impact on the safety of crypto users’ coins. 

Case in point:

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • Wednesday, the head of security at ZenGo, a cryptocurrency wallet provider, tweeted out research showing that issues with QR codes generated by Coinbase.com's app had resulted in some users sending funds to the contract address rather than to the intended wallet address within the app. This error effectively strands the funds, with no way to reverse the transaction. 

    The QR code issue ZenGo identified is based on a backward-compatibility issue between ERC-67 (the original QR URL format standard) and the newer EIP-681 standard. Coinbase uses EIP-681, creating compatibility issues between it and other wallets using the older standard.

    “QR codes are a very problematic format for the cryptocurrency domain,” said Tal Be'ery, co-founder and security researcher at ZenGo. “As QR codes are not humanly readable, it’s hard for users to detect errors, introduced either by malice or by mistake. Due to the irreversibility of cryptocurrency, errors are usually fatal.”

    That being said, QR codes can be more reliable and less prone to error overall than a human copying and pasting a wallet address. 

    This issue has affected some users within the last eight months and, according to Be’ery has likely been around longer. It was publicly reported in December 2020 as well. 

    The EIP and ERC QR code standards

    ZenGo discovered the issue as part of its quality assurance process. Be’ery said the team was testing the ZenGo QR decoding module by feeding it QR codes, generated by a variety of wallets, and noticed the ZenGo app does not handle Coinbase app QRs for ERC-20 tokens, such as tether or dai.

    ERC-20 tokens can typically be used to represent objects, give voting rights, pay transaction fees, crowdfund and incorporate new features into a token. ERC-20 is currently the most popular ERC token standard on Ethereum. 

    Once QR codes are decoded according to the older QR code URL standard used by ZenGo, the URL appears in the address field below the QR code as, essentially, “ethereum:<address>” followed by some optional parameters.

    In the newer format, supported by Coinbase's app, the decoded URL appears below the QR code as “ERC-20 ethereum:<contract address>/transfer?address=<recipient address>“. 

    This means that if developers are not careful with their implementation, an algorithm may decide to just take the first parameter as the relevant address to send to and ignore all others, according to Be’ery. 

    “When this ‘naive’ algorithm is applied on the newer format, it will cause the wallet user to erroneously send funds to the ERC-20 contract itself and not the intended recipient, resulting in money loss,” said Be’ery. 

    Be'ery tweeted out an example from Coinbase's app, with the first address being the contract address rather than the wallet address.

    The EIP-681 standard documentation acknowledges this problem, essentially stating that it’s backwards compatible for ETH but not ERC-20 payments. 

    'A terrible standard'

    Coinbase did not supply a requested comment by press time but Pete Kim, head of engineering for the Coinbase Wallet replied to Be’ery’s tweet. 

    Be’ery said while Coinbase is not “wrong” because it is following some standard, the team at ZenGo believes it’s a classic case of "It’s better to be smart than to be right."

    “When implementing a cross-wallet functionality such as QR codes that can be created by one wallet and consumed by another it’s better to use a ‘lowest common denominator’ attitude,” said Be’ery.

    “Specifically, ZenGo creates QR codes which encode the address in a raw format (Trust wallet does it, too) that just specifies the address and nothing else. It’s basic and therefore leaves less room for mistakes and incompatibilities.” 

    Kim later corrected himself, noting that the new standard was being used on Coinbase's retail app, or their exchange app, rather than Coinbase Wallet, which is a noncustodial wallet app.

    Kim went on to say this was a bug in ZenGo for not supporting the EIP-681 standard, noting that other wallets like Trust, Exodus, Crypto.com and Metamask all support EIP-681 correctly.

    Choosing the right address

    In the meantime, as a general rule, Be’ery said users who must use QR codes should verify transaction details before finally confirming the transaction. For example, searching an address on Etherscan will tell you whether the address is a contract address or a wallet address. Unfortunately checking which standards your preferred wallet supports is quite difficult.

    All this may seem arduous for newcomers to the space who are unfamiliar with the contours of crypto, and it can be. However, it's something that may save them quite a bit of money and headaches in the long run. 

    “That’s why in ZenGo we augment our QR codes with some visual indicators on the coin/token type and also the address itself for easy comparison and verification,” Be'ery said.

    "The most important thing with QR code reading is not getting confused by the different formats and standards, and it's better to fail in case of an unsupported format (as we do) and not try to 'guess' and put our customers' funds at risk. We may decide in future to support this format too, and then we will pick the 'right' address, so no funds [will be lost]."

    Correction: Thursday, March 3, 2021, 16:00 UTC: The original version of this article stated that the issue was with the Coinbase Wallet. It has been amended to state that the problem is with wallet addresses within the Coinbase.com app.

    Additional comments from Pete Kim of Coinbase Wallet have been added.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.