wOPEN

The WOpen token is an implementation of a wrapped token with deposit and withdraw capabilities. It is designed to securely handle Ether deposits and withdrawals while mitigating vulnerabilities such as the WETH permit attack.

Key Features

  • Deposit and Withdraw: Users can deposit Ether to mint WOpen tokens and withdraw Ether by burning WOpen tokens.

  • Security Enhancements: The contract includes a receive function to handle Ether transfers securely, avoiding fallback-based vulnerabilities.

  • Compatibility: Built on Solidity version 0.6.12 for enhanced security and compatibility.

  • Standard Compliance: Fully ERC20 compliant with a 1:1 peg to the native Open token.

Changes from Previous Implementations

Previous Implementation

  • Solidity Version: >=0.4.22 <0.6

  • Fallback Function:

    function() external payable {
    deposit();
}

    • This fallback function was used to handle Ether transfers.

    • Vulnerable to WETH permit-style exploits due to reliance on fallback behavior.

Current Implementation

  • Solidity Version: 0.6.12

  • Receive Function:

    /**
 * @notice Function to receive Ether. msg.data must be empty.
 * @dev Fallbacks are avoided to reduce attack surface and prevent WETH permit-style exploits.
 */
receive() external payable {
     deposit();
}

    • The receive function explicitly handles Ether transfers when msg.data is empty.

    • Reduces the attack surface and mitigates vulnerabilities associated with fallback functions.

Forked Base Contract

The WOpen contract is forked from the Base Network's WETH implementation. The primary enhancement is the addition of the receive function to improve security.

Test Scenarios

1. BaseWETH Vulnerability to WETH Permit Attack

  • Objective: Demonstrate that the original BaseWETH contract is vulnerable to a WETH permit attack.

  • Test:

    • Deploy BaseWETH and ERC20Bank.

    • Use depositWithPermit to exploit the vulnerability.

    • Verify that the attacker can drain the user's balance.

2. WOpen Resilience to WETH Permit Attack

  • Objective: Verify that WOpen is not vulnerable to a WETH permit attack.

  • Test:

    • Deploy WOpen and ERC20Bank.

    • Attempt to exploit depositWithPermit.

    • Verify that the transaction reverts and the user's balance remains intact.

3. Withdraw Functionality for WOpen

  • Objective: Verify that users can withdraw Ether by burning WOpen tokens.

  • Test:

    • Deposit Ether to mint WOpen tokens.

    • Withdraw Ether and verify that the user's balance is updated correctly.

4. Reentrancy Prevention in WOpen

  • Objective: Ensure that WOpen is not vulnerable to reentrancy attacks.

  • Test:

    • Deploy a reentrancy attacker contract.

    • Attempt to exploit the withdraw function.

    • Verify that the transaction reverts and the user's balance remains intact.

Running and Testing Flow

1. Compile

Run the following command to compile the smart contracts:

npx hardhat compile

2. Deploy

Use the appropriate deployment script to deploy the WOpen contract. For example:

npx hardhat deploy ignition/modules/deployWOPEN.js --network <network-name>

Replace <network-name> with the desired network (e.g., hardhat, sepolia, mainnet).

3. Test

Run the following command to execute the tests for WOpen:

npm run test:WOpen

This will run the test files test/testWOPEN.js and test/testAttackWOPEN.js.

Note: There is no NatSpec documentation added to the contract. This decision was made to align with the format followed by other blockchain implementations.

Security Contact

For any security concerns or vulnerabilities, please contact: security@openledger.xyz

References

  1. ERC20 Exploit with WETH

  2. WETH Permit Exploit Implementation

  3. Solidity by Example - WETH Permit Vulnerability

Note: This documentation is maintained as part of the Open Ledger project. Last updated: June 2025

Last updated