ERC-777 — Token w/ Hooks

Back to Token Standards

ERC-777: Token Standard With Hooks

ERC-777 was an attempt to fix ERC-20's biggest ergonomics issue — tokens sent to a contract that wasn't expecting them get stuck. It adds tokensReceived and tokensToSend hooks, registered via the ERC-1820 registry, plus an operator model decoupled from amount-based allowances.

The Catch

ERC-777 introduced a serious re-entrancy footgun: the recipient's tokensReceived hook runs during the transfer, before balance updates are finalized in some implementations. imBTC and Lendf.Me both lost ~$25M each in April 2020 to re-entrancy attacks via ERC-777 hooks. Most projects today avoid ERC-777 for this reason.

Neo Equivalent: NEP-17 + NEP-27 (Designed Right)

NEP-17's standard transfer is the ERC-777 equivalent — without the hazard. The recipient callback onNEP17Payment(from, amount, data) fires after the sender balance is debited and the recipient balance is credited. Re-entry into the token contract during the callback cannot double-spend because state is already final.

Live on Neo TestNet

Both implementations are deployed on Neo N3 TestNet (network magic 894710606).

Implementation	Contract Hash	Deploy Tx
Solidity (neo-solc)	0xd0f1fb49a76b1e6aaf63cf2e2e132607950e5e7d	0x3b71ed0a…fb3fe
Neo C# (nccs)	0x0d64d453a705033c2698de7a4de9e5fd934b2849	0x2072ca9f…25da73

Cross-implementation invocations match on symbol, decimals, balanceOf / getOwner. Source pairs under docs/standards-mirror/deployments/erc-777/.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

interface IERC1820Registry {
    function getInterfaceImplementer(address account, bytes32 interfaceHash)
        external view returns (address);
}

interface IERC777Recipient {
    function tokensReceived(
        address operator, address from, address to, uint256 amount,
        bytes calldata userData, bytes calldata operatorData
    ) external;
}

contract ERC777 {
    IERC1820Registry private constant REGISTRY =
        IERC1820Registry(0x1820a4B7618BdE71Dce8cdc73aAB6C95905faD24);
    bytes32 private constant TOKENS_RECIPIENT_HASH =
        keccak256("ERC777TokensRecipient");

    mapping(address => uint256) public balanceOf;

    event Sent(address indexed operator, address indexed from, address indexed to,
               uint256 amount, bytes data, bytes operatorData);

    function send(address to, uint256 amount, bytes calldata data) external {
        _send(msg.sender, msg.sender, to, amount, data, "");
    }

    function _send(
        address operator, address from, address to,
        uint256 amount, bytes memory data, bytes memory operatorData
    ) internal {
        require(balanceOf[from] >= amount, "insufficient");
        balanceOf[from] -= amount;
        balanceOf[to]   += amount;

        // Re-entrancy hazard if the implementation reorders these
        address recipient = REGISTRY.getInterfaceImplementer(to, TOKENS_RECIPIENT_HASH);
        if (recipient != address(0)) {
            IERC777Recipient(recipient).tokensReceived(
                operator, from, to, amount, data, operatorData
            );
        }
        emit Sent(operator, from, to, amount, data, operatorData);
    }
}

using System;
using System.ComponentModel;
using System.Numerics;
using Neo;
using Neo.SmartContract.Framework;
using Neo.SmartContract.Framework.Attributes;
using Neo.SmartContract.Framework.Native;
using Neo.SmartContract.Framework.Services;

namespace R3E.Examples;

[DisplayName("HookedToken")]
[ContractPermission("*", "*")]
[SupportedStandards(NepStandard.Nep17)]
public class HookedToken : SmartContract
{
    private const byte Prefix_Balance = 0x01;

    [DisplayName("Transfer")]
    public static event Action<UInt160, UInt160, BigInteger> OnTransfer;

    public static bool Transfer(UInt160 from, UInt160 to, BigInteger amount, object data)
    {
        if (!from.IsValid || !to.IsValid) throw new Exception("invalid address");
        if (amount < 0)                   throw new Exception("amount < 0");
        if (!Runtime.CheckWitness(from))  throw new Exception("no authorization");

        // Step 1-3: state updates FIRST
        var fromBal = BalanceOf(from);
        if (fromBal < amount) return false;
        UpdateBalance(from, fromBal - amount);
        UpdateBalance(to,   BalanceOf(to) + amount);
        OnTransfer(from, to, amount);

        // Step 4: notify recipient AFTER state is finalized — safe from re-entry
        if (ContractManagement.GetContract(to) != null)
            Contract.Call(to, "onNEP17Payment", CallFlags.All,
                new object[] { from, amount, data });
        return true;
    }

    public static BigInteger BalanceOf(UInt160 account)
    {
        var key = new byte[] { Prefix_Balance }.Concat(account);
        return (BigInteger)(Storage.Get(Storage.CurrentContext, key) ?? ByteString.Empty);
    }

    private static void UpdateBalance(UInt160 account, BigInteger value)
    {
        var key = new byte[] { Prefix_Balance }.Concat(account);
        if (value == 0) Storage.Delete(Storage.CurrentContext, key);
        else            Storage.Put(Storage.CurrentContext, key, value);
    }
}

[DisplayName("PaymentReceiver")]
[SupportedStandards(NepStandard.Nep27)]
public class PaymentReceiver : SmartContract
{
    public static void OnNEP17Payment(UInt160 from, BigInteger amount, object data)
    {
        // Token contract finalized the transfer before this call.
        // Re-entering Transfer cannot affect balance state.
        // Safe to record receipt, mint shares, etc.
    }
}