So I was wondering. If somebody sends me some tokens and I transfer these tokens to some other address - what is the worst thing that could happen to my ethers that I keep on the same wallet address or that are stored in within the same keystore? Talking about malicious smart contract code here, how bad can it be in this case?
Nothing happens. In my experience I never had any problem when someone send me a token and I send it to other wallet. I experience it all the time and I don't encounter any malicious transaction in my wallet even if it has an Ethereum fund.I am pretty sure a malicious transfer() function could still transfer all your tokens of this smart contract to some arbitrary address instead of transferring a specified amount of tokens to a specified address. So risks are still present. But after a bit of digging I am now kinda certain this is the maximum damage a malicious transfer() function could do.