ERC-20 was proposed by Fabian Vogelsteller in 2015 to solve a very practical problem: at the time, every Ethereum token had its own function names, so a DEX had to write a new integration for every token it listed. ERC-20 unified the interface, specifying six functions every token must have. The most important are transfer (you send directly to someone) and the approve + transferFrom pair (you authorize a smart contract to move tokens on your behalf — common in DeFi). It was this unified interface that let Uniswap support any ERC-20 token on its first day without bespoke deals. That composability is the foundational layer on which Ethereum DeFi could explode. Without ERC-20, Uniswap, Aave, and Compound couldn't exist — they all assume the underlying token has this standard interface.
The relationship between ERC-20 and ERC-3643 can be understood as ERC-3643 adding "a gate" on top of ERC-20. ERC-20's transfer function lets any address send by default; ERC-3643 adds a check before executing: has this address passed KYC, is it on the whitelist? If not, the transfer reverts. ERC-3643 also adds freeze (block an account) and forcedTransfer (move tokens without consent, for compliance enforcement) — functions ERC-20 has no equivalent for. The cost: ERC-3643 tokens can't trade on permissionless DEXs like Uniswap, because Uniswap's liquidity pools have no KYC either — you need to operate in permissioned DeFi pools. This is a trade-off between regulatory compliance and DeFi composability that can't be fully eliminated.
For RWA investors, the most important practical implication of ERC-20 is: can this RWA token plug into mainstream DeFi protocols? PAXG (tokenized gold) is ERC-20, so it can be bought and sold on Uniswap, collateralized on Aave to borrow USDC, and deposited into liquidity pools. Ondo's OUSG (tokenized Treasury) is ERC-3643, so it can't be listed directly on Uniswap; it can only be transferred within Ondo's own whitelist system or used in Flux Finance (Ondo's permissioned DeFi). When you evaluate a RWA token's "DeFi integration potential," first check its standard: pure ERC-20 = maximum DeFi compatibility, but no compliance controls; ERC-3643 = compliance-friendly, but DeFi use cases are constrained. The choice of standard directly determines the token's freedom within the on-chain ecosystem.
ERC-20 has a well-known design flaw at the technical level: the approve + transferFrom flow is theoretically vulnerable to a double-spend attack. The moment you change an approval from an old amount to a new one, if the counterparty quickly inserts a transferFrom, they could theoretically spend the old amount and then the new one. The fix is to set the allowance to zero before setting a new amount, or use the improved EIP-2612 (permit, which replaces the approve transaction with a signature). The more important practical tip: never give unlimited approval (approve MAX) to an untrusted contract — many phishing attacks lure you into this so they can drain your tokens at any time. Tools like Revoke.cash let you view and revoke past approvals; RWA investors plugging into any DeFi protocol should habitually clean up approvals they no longer use.
When you use Uniswap for the first time, you'll notice an "Approve" button you need to click first. That action is ERC-20's approve function in action: you're telling the token contract "I authorize Uniswap's contract address to spend up to X of my USDC." Only after approving can you execute the Swap, because Uniswap needs transferFrom to move your USDC into the liquidity pool on your behalf. Many people find it annoying to approve before every swap — the reason is ERC-20's security design: without your explicit authorization, no contract can move your tokens. The flip side is a warning: if any website asks you to approve an unknown contract address, or to approve an unlimited amount, it's almost certainly a phishing attack — once approved, they can drain your tokens without you knowing.
ERC-20's greatest strength is composability: a compliant token can plug into the entire Ethereum DeFi ecosystem at zero integration cost. Its greatest limitation is permissionlessness itself: for RWA tokens requiring KYC, whitelists, and compliance reporting, pure ERC-20 can't meet regulatory requirements. That's exactly why compliance-oriented standards like ERC-3643 emerged in the RWA world — trading some DeFi composability for the controls institutional regulators demand. Long-term, "permissioned DeFi pools" (where only whitelisted addresses participate) may provide liquidity infrastructure for ERC-3643 tokens, but this market remains very early.