How Ethereum standards shape — and break — smart contract security.
A structured security research by BengalCatBalu that tracks how significant EIPs and ERCs have influenced smart contract development on Ethereum. Each standard is analyzed as a security object: what mechanism it introduces, what edge cases it creates, what implementation subtleties developers consistently miss, and what auditors should check.
Every EIP changes the rules. Some add new opcodes, some redefine gas economics, some introduce token interfaces that become the backbone of DeFi. Each change carries implicit assumptions — and when developers get those assumptions wrong, vulnerabilities follow.
This research catalogs those failure patterns. For each standard you'll find:
- Overview — what the EIP/ERC does and what mechanism it introduces
- Vulnerability Classes — named, categorized failure modes with abstract patterns (not retelling of specific findings)
- Heuristics — testable yes/no questions an auditor can run against any codebase
- Real examples — links to actual audit findings from Solodit that demonstrate each class
The primary goal is to give developers and auditors a mental model for how specific standards create attack surface. But the structured format and concise overviews of each standard also let you trace Ethereum's evolution as a whole — from Tangerine Whistle gas repricing to EIP-7702 EOA delegation.
This is not a generic Ethereum tutorial. It assumes the reader already understands Solidity, the EVM, and basic DeFi mechanics.
Since the focus is smart contract development on L1, this research does not cover EIPs related to Ethereum's push toward L2 scaling (rollup mechanics, blob transactions, cross-chain messaging protocols).
| Theme | Standards |
|---|---|
| Gas | EIP-150, EIP-1559, EIP-2929, EIP-7825 |
| Opcodes | EIP-214, EIP-1014, EIP-6780 |
| Transaction | EIP-155, EIP-7702(WIP) |
| Theme | Standards |
|---|---|
| Token Standards | ERC-20, ERC-721, ERC-777, ERC-1155 |
| Proxy | ERC-1167, ERC-1822, ERC-1967, ERC-7201 |
| Signatures | ERC-712, ERC-1271, ERC-2612, ERC-2771 |
| DeFi | ERC-165, ERC-3156, ERC-4626 |
BengalCatBalu — Web3 security researcher focused Ethereum smart contract auditing.
- Twitter/X: @BengalCatBalu
- GitHub: BengalCatBalu
If this research saved you time or helped you catch a bug — tips are welcome:
0x46F857459178B025F56feb416816000bd9CA926B (EVM)
Huge thanks to Cyfrin for the indirect but essential help in creating this work. Without Solodit and its open API, this research would have taken significantly longer. The ability to systematically search and cross-reference real audit findings across hundreds of protocols is what made it possible to identify recurring patterns rather than just catalog individual bugs.
Contributing:
If you've found a vulnerability pattern related to a covered EIP/ERC that isn't listed here — or if you think a heuristic could be sharper — open an issue or PR.
TBD:
Account Abstraction EIPs, ERC-2535
MIT