Crypto and in particular DeFi can be technically very complex, and the general audience often might oversee the importance of understanding the technical implementation.
In colloquial language, people often say something like "I've got 10 USDT in my wallet" or "my wallet has 1M Shibu Dogs". It sounds normal and assuring; we all have experience of having money in our pocket. As usual, it's not that simple after looking into the details.
Without the fundamental understanding of where tokens are actually stored there is increasing risk of losing money. It's a DeFi 101.
Note: the information in this article is primarily applicable to the EVM blockchains(Ethererum, Avalanche, Polygon, Gnosis, Fantom, etc..). In this case, MetaMask is likely to be used for interaction with the Dapps.
One might remember that when MetaMask starts the first time or the new tokens are received the wallet interface doesn't display all expected tokens. Obviously, many people freak out that their money got nicked. With a quick search it'd be easy to find what’s happening.
That's one of the implications of how ERC20 Tokens are working. Tokens aren’t sitting in your MetaMask or Brave wallet. Even more, they're not lodging in your key or anywhere on your computer or mobile phone. The wallets don't "own" the tokens per se. The way it works is inside out: It's not that your wallet stores the ERC20 tokens, but ERC20 tokens keep your balance. These tokens aren't made of copper but they're actually programs(smart contracts) written in Solidity language.
The way it works is inside out:
Your wallet doesn't own the ERC20 tokens, but ERC20 tokens keep and manage your balance
Every interaction(get balance, transfer, etc) with ERC20 tokens is a call to the program, such as USDT or BAL. To display the balance of the token the MetaMask hits the token smart contract asking "what's the balance of the wallet 0xabcdYOURWALLET".
Let that sink in. ERC20 Tokens are balance manipulating programs.
What are the implications of ERC20 design?
There are lots of things to consider, starting from the usability (hello tokens autodetection!) all the way to the broad opportunities for the scam. These ERC20 tokens contracts are just programs, written by humans. Literally(that's the point of the permissionless blockchain!) anyone can code a token that exhibits specific behaviour.
People are very different, and not all of them play fair.
Some common scams:
Scammers create tokens with the existing names (WETH, USDC, etc) and trick user to add them into the wallet. Then, they steal money by asking to add liqudity pair(fakeUSDC and USDT) to the DEX. As soon it happens the liquidity pair got trained - all USDT go to the attacker's wallet.
Why? Because they can print as many tokens as they want - it's their smart contract.
Scammers can literally decrease(or increase!) amount of tokens in your wallet, because tokens aren't in your wallet. Same way as they control supply/demand token owers can control wallet’s balance
Why? Because the balance displayed is a result of the function invocation and that could be anything.
Another type of very common scam is prevention of the token transfer. That's create artifical "hockey stick" on the price chart. Very same technique is used Circle(USDC issuer) to block/sanction wallets known of wrongdoing. /Yay, your money can be frozen by government request on the permissionless blockchain, how cool is that?! Exactly like in your bank but on the blockchain. /
Why? Because transfer function is controlled by contract therefore it can filter
Since tokens aren't sitting in your wallet you can't send them to the DEX. Instead, you'd authorise DEX or any protocol to take tokens on your behalf and do something with them. When the approval is requested, you say "Token ERC20 contract I allow contract X to take money from me". What's the risk? The thrid party contract X can do whatever they want, whenever they want without your interaction. That's how the most rug pulls work
Why is ERC20 so badly designed?
Ethereum was the first general purpose blockchain for Dapps and honestly I think they did well. For the MEV I work with lots of the protocols and I'm still impressed how well the Ethereum team designed this the most fundamental building block of the DeFi lego. Seems like they cover 95% of functionality required for the everyday operations with the tokens. So I'd rather disagree with haters on Internet.
Could it be better? Totally. The community is offering different solutions to address existing painpoint, for example EIP-777 .
Stay safe in the wild DeFi jungle.