For those wondering about the method transferAnyERC20Token(), as you can see it was directly copied from the sample ERC20 token contract on the Official Ethereum Wiki. It is the only method that can only be called by the Owner, and it only allows the owner to Transfer() out tokens that reside inside the smart contract to another address. The way the Transfer() is implemented in 0xBTC is right here:

function transfer(address to, uint tokens) public returns (bool success) { balances[msg.sender] = balances[msg.sender].sub(tokens); balances[to] = balances[to].add(tokens); emit Transfer(msg.sender, to, tokens); Transfer(msg.sender, to, tokens); return true; }

The .sub and .add methods are safemath and so cannot overflow, cannot create new tokens.

As you can see, the way this method is delegate-called, the 0xBTC contract address will be the ‘msg.sender’ and so it will only allow the owner to transfer tokens whose ‘address’ in the balance mapping is equal to the address of the 0xBTC contract.

This means that the only tokens that can be ‘transferred’ are ones which have been explicitly sent directly to the 0xBTC contract address (or as we say, ‘sent into the contract’) after they have been mined using Proof of Work. This is because the contract address will be msg.sender since that is how delegate calling works: https://ethereum.stackexchange.com/questions/21029/difference-between-msg-owner-and-msg-sender

The intent of the method as designed is to allow the owner of the contract to withdraw tokens which had been accidentally sent into the contract address. That is all it can do. It was used for that and worked well!

For brevity and extra peace of mind, the 0xBTC contract is now owned by a burn contract: https://etherscan.io/address/0x9c875cd04abfa2bd0461c9baf42059913f6e7150