Was USDT Double-Spent?
SlowMist, a Chinese cybersecurity company focused on the blockchain and cryptocurrency sector, recently released a tweet regarding the investigation of a double-spent USDT transaction.
The tweet, shown below, was posted in Chinese, leaving many westerners confused at what the tweet meant. But as Mandarin speakers translated the message, it became clear that the SlowMist team had identified a potentially dubious Tether transaction.
交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷,未校验区块链上交易详情中valid字段值是否为true,导致“假充值”,用户未损失任何USDT却成功向交易所充值了USDT,而且这些 USDT 可以正常进行交易。
我们已经确认真实攻击发生!相关交易所应尽快暂停USDT充值功能,并自查代码是否存在该逻辑缺陷。 pic.twitter.com/EPzZIsZFzH— SlowMist (@SlowMist_Team) June 28, 2018
The rough translation is as follows:
The exchange in the USDT recharge transactions to confirm the success of a logical flaw in the transaction details on the block chain valid field value is true, resulting in “pretend value”, the user has not lost any USDT but successfully recharge the exchange USDT, and these USDT can be normal transactions. We have confirmed that the real attack happened! The relevant exchange should suspend USDT recharge function as soon as possible, and self-examination code whether there is this logic flaw.
When reading in between the lines of the translation, it becomes clear what the tweet originally meant. It was directed at pointing out that an anonymous user, or the SlowMist team themselves, were able to “recharge” the 694 USDT twice, essentially doubling the value of the aforementioned Tether.
It is important to note that new USDT tokens were not created, this transaction only allowed for the user to potentially withdraw 694 USDT out of the exchange’s Tether wallet without holding the authority to do so.
SlowMist later clarified that the vulnerability was not part of the Tether codebase, but rather, a vulnerability of a specific exchange, which remains unnamed at this time. OkEX, popular Asian-based exchange, quickly addressed the issue to ease the minds of consumers.
Reassuring that it was the fault of the unnamed exchange, OkEX wrote:
We are aware of the vulnerability with USDT deposit. And we confirm that OKEx is NOT exposed to the vulnerability. Please rest assured that your assets are safe and secure with us.
A Reddit user, stating that he/she was the founder of Omni, the protocol which Tether is built upon, also gave a statement regarding the issue. ‘Dacoinminster’ said:
If I’m translating this correctly, it appears that what happened here is that an exchange wasn’t checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second “double spend” transaction had valid=true, which they also accepted.
Unless I am missing something, this is just poor exchange integration. One of our devs already replied pointing to our best practices for integration
It is likely that only smaller exchanges, with less experienced developer teams, are vulnerable to this issue.
Tether Controversy Continues
This story has added to the Tether controversy, which still continues to this day. Despite a recent audit confirming that Tether does, in fact, have the U.S. reserves to match the 2.7 Billion USDT tokens, debate still rages about Tether’s effect on the cryptocurrency market as a whole.
A research paper released by the University of Texas indicates that USDT has been used in the manipulation of cryptocurrency prices over 2017. The paper states that over 50% of all Bitcoin’s upwards price movements were caused by the trading and transfer of Tether.
Many critics of the often notorious stablecoin have long held this opinion, believing that the Tether organization utilizes questionable business practices. However, it has become clear that stablecoins will become a promising sub-industry as the cryptocurrency market develops.
Although questionable at times, it is important that Tether holds a place in the market, as the collapse of Tether could mean a widespread decline in the collective value of all cryptocurrencies.
Title Image Courtesy of MaxPixel
