Security Firm Identifies Potential Tether (USDT) Double-Spend Bug

SlowMist, a Chinese cybersecurity firm, has recently pointed out a transaction that should have some worried, as the user managed to double the value of 694 USDT.

SlowMist: User

On Thursday, a blockchain centric cybersecurity firm, issued a Tweet which drew attention to a questionable USDT transaction.

交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷,未校验区块链上交易详情中valid字段值是否为true,导致“假充值”,用户未损失任何USDT却成功向交易所充值了USDT,而且这些 USDT 可以正常进行交易。
我们已经确认真实攻击发生!相关交易所应尽快暂停USDT充值功能,并自查代码是否存在该逻辑缺陷。 pic.twitter.com/EPzZIsZFzH

— SlowMist (@SlowMist_Team) June 28, 2018

According to the automated translation of the Tweet, originally given in Mandarin Chinese, the user was able to illegitimately add USDT value to the exchange’s server, giving a guise of added funds.

This vulnerability essentially allowed the user to be potentially credited for USDT that was not sent to the exchange.

It is unclear whether the exchange affected, which remained unnamed, has made any actions to amend the issue.

According to the information of the transaction in question, the exchange accepted a transaction that had invalid information, with the exchange marking the 694 USDT “false” transaction as valid.

When the Tweet was first released, it was unclear whether this problem was an unlucky edge-case or a problem that affected all of the 2.75 Billion Tether tokens in existence.

Bug Is Only Pertinent To Vulnerable Exchange

SlowMist later clarified, in English this time, that the issue was not with Tether as a whole, but rather with the unnamed exchange.

A Reddit user who goes by Dacoinminster gave his/her reasoning for the hack. To add to the legitimacy of the reasoning, the user claimed to be a founder of Omni, the protocol which Tether is built upon.

Firstly, the Reddit user noted that Omni-based assets cannot be double-spent without Bitcoin having to be double-spent as well. This comment eased the double-spend worries, as a double-spend attack on Bitcoin is nearly impossible.

The Omni founder wrote:

If I’m translating this correctly, it appears that what happened here is that an exchange wasn’t checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second “double spend” transaction had valid=true, which they also accepted.

Dacoinminster went on to say that the issue was the result of “poor exchange integration,” pointing an accusing finger at the affected exchange.

OKEx, one of the top cryptocurrency exchanges by trading volume, quickly created a press release regarding the issue, adding to the legitimacy of the issue. OKEx wrote:

We are aware of the vulnerability with USDT deposit. And we confirm that OKEx is NOT exposed to the vulnerability. Please rest assured that your assets are safe and secure with us.

Further adding that OKEx enlisted the help of SlowMist to ensure that OKEx was not vulnerable to the “fake deposit” issue.

Bittrex also confirmed that it was not affected and the processing of all Omni-based assets, like Tether, did not experience any difficulties. The Tweet stated, “Bittrex properly handles the “valid” flag mentioned in the (Omni) integration guide.”

It has become clear that this issue is only pertinent to exchanges who failed to properly integrate Omni assets, most likely smaller exchanges with smaller technical teams. At the time of writing, the unnamed exchange was the only platform reported to be vulnerable to the bug.

Tether Remains The Topic Of Controversy

Despite holding a vital role in the industry, serving as a way investors can find stability in the often volatile crypto market, Tether has had its fair share of problems.

As Tether’s market cap quickly rose over the billion dollar valuation, users began to question the legitimacy of the reserve funds backing the popular stablecoin. Speculation raged, as Tether unexpectedly dismissed an auditor for the “excruciatingly detailed procedures” the auditor firm was enlisting.

Many thought that Tether did not hold the funds to back its growing supply of USDT. However, it was recently revealed that Tether does hold the U.S. dollars to back all USDT in existence.

Although that issue was dismissed, research has pointed out that Tether may be responsible for the manipulation of many Bitcoin price movements. The report, originating from the University of Texas, states that the issuances of Tether may have caused up to 50% of all Bitcoin price increases.

Although not directly addressed by the Tether organization, this report confirms much of the sentiment held by Tether critics.

The recent bug exposed by SlowMint has added to the Tether controversy, which has become increasingly diverse as Tether continues to grow at a rapid rate.

 

Featured Image from