Non-Standard ERC-20 Behavior: The Phantom Deposit Bug Class That Auditors Keep Missing

When we say "ERC-20 token," we assume a contract that behaves according to the EIP-20 specification. But assume is the operative word. In February 2026, a non-standard transferFrom implementation in the DGLD gold-backed token let attackers mint 100 million unbacked tokens on Base — against a legitimate circulating supply of just 70.8 tokens on that chain. The vulnerability wasn't in the bridge. It wasn't in the L2. It was in a transferFrom function that returned true without actually moving tokens. And it had passed two independent audits. This article isn't about DGLD specifically — it's about the ERC-20 compliance gap that exists across thousands of deployed tokens, and the concrete audit techniques that catch it. The ERC-20 Trust Contract Every protocol that integrates external tokens makes implicit assumptions: transferFrom(from, to, amount) returns true → "amount" tokens moved from "from" to "to" → balanceOf(from) decreased by amount → balanceOf(to) increased by amount The EIP-20