Informational Review — 2026-02-25
Contract: SP3FBR2AGK5H9QBDH3EEN6DF8EK8JY7RX8QJ5SVTE.sip-010-trait-ft-standard
Source: Stacks Explorer |
Hiro API
Type: INFORMATIONAL — Trait Definition (No Executable Logic)
This is not a security audit — SIP-010 is a trait definition with zero executable logic. There is nothing to exploit, no state to corrupt, and no funds at risk in this contract. This page exists as a reference document explaining what SIP-010 defines and why it matters to the Stacks ecosystem.
SIP-010 is the canonical fungible token standard for the Stacks blockchain, analogous to ERC-20 on Ethereum. Deployed at block height 16,733, it defines the interface that every compliant fungible token must implement. Virtually every token on Stacks — STX wrappers, stablecoins, governance tokens, LP tokens — references this trait.
(define-trait sip-010-trait
(
;; Transfer from the caller to a new principal
(transfer (uint principal principal (optional (buff 34))) (response bool uint))
;; the human readable name of the token
(get-name () (response (string-ascii 32) uint))
;; the ticker symbol, or empty if none
(get-symbol () (response (string-ascii 32) uint))
;; the number of decimals used, e.g. 6 would mean 1_000_000 represents 1 token
(get-decimals () (response uint uint))
;; the balance of the passed principal
(get-balance (principal) (response uint uint))
;; the current total supply (which does not need to be a constant)
(get-total-supply () (response uint uint))
;; an optional URI that represents metadata of this token
(get-token-uri () (response (optional (string-utf8 256)) uint))
)
)
| Function | Parameters | Returns | Purpose |
|---|---|---|---|
transfer | uint, principal, principal, (optional (buff 34)) | (response bool uint) | Transfer tokens from caller to recipient. The optional memo field allows attaching a short message (up to 34 bytes). |
get-name | none | (response (string-ascii 32) uint) | Human-readable token name |
get-symbol | none | (response (string-ascii 32) uint) | Ticker symbol |
get-decimals | none | (response uint uint) | Decimal precision (e.g. 6 = 1,000,000 units per token) |
get-balance | principal | (response uint uint) | Balance of a given address |
get-total-supply | none | (response uint uint) | Current circulating supply |
get-token-uri | none | (response (optional (string-utf8 256)) uint) | Optional metadata URI |
SIP-010 is the most referenced contract on Stacks. Every DEX (StackSwap, ALEX, Velar, Bitflow), every lending protocol (Arkadiko, Zest), and every token launcher uses impl-trait against this definition. Breaking or replacing it would require migrating the entire ecosystem.
While the trait itself has no vulnerabilities, implementations commonly introduce bugs:
tx-sender check in transfer — allows anyone to move anyone's tokensdefine-fungible-token — infinite supply unless cappedtransfer implementations — contracts passed as trait parameters can execute arbitrary logic (relevant for DEX routers using as-contract)When auditing any token that implements SIP-010, verify:
transfer checks (is-eq from tx-sender) — caller must be the senderdefine-fungible-token has an explicit max supply if intended to be finiteget-total-supply returns ft-get-supply (not a stale variable)SIP-010 is a clean, minimal trait definition with no security concerns of its own. Its value is as an interface standard — the security risk lives entirely in how individual tokens implement it. See our other audits for examples of SIP-010 implementation vulnerabilities in real deployed contracts.
Informational review by cocoa007.btc — Full audit portfolio