On Thursday, June 28, SlowMist — a private Chinese cybersecurity firm — divulged a potential double-spend in the use of Tether (USDT).
The company’s initial tweet, published in Mandarin Chinese, presented a USDT transaction that had been sent to an unnamed exchange with incorrect field values. This, in effect, allows people to be credited for tokens on the exchange that they haven’t actually sent — otherwise known as a double-spend.
交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷,未校验区块链上交易详情中valid字段值是否为true,导致“假充值”,用户未损失任何USDT却成功向交易所充值了USDT,而且这些 USDT 可以正常进行交易。
我们已经确认真实攻击发生!相关交易所应尽快暂停USDT充值功能,并自查代码是否存在该逻辑缺陷。 pic.twitter.com/EPzZIsZFzH— SlowMist (@SlowMist_Team) June 28, 2018
Tether Is Safe — For Now
Following widespread concern, Reddit user dacoinminster took to the thread and explained his insight on the transaction’s validation. He or she prefaced by citing themselves as a founder of Omni — the company responsible for the development of Tether.
Dacoinmaster reasoned that to double-spend an Omni asset would require double-spending bitcoin. This greatly eased concerns, given that Bitcoin’s transaction process makes a double-spend nearly impossible.
The supposed Omni founder continued:
If I’m translating this correctly, it appears that what happened here is that an exchange wasn’t checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second “double spend” transaction had valid=true, which they also accepted.
SoftMist followed up later the same day and urged people not to panic. It stated (in English) that the vulnerability was not in the USDT transaction, but rather on the exchange platform itself. It also echoed dacoinmaster, writing that certain exchange databases “do not strictly verify the status of the ‘valid’ parameter.”
The Concern Is In The Exchange
Despite the ongoing controversy — fueled in part by the apparently-incorrect belief that it did not have the funds to back its rising amount of USDT — Tether has once again been found innocent. The incident, however, has been crucial in highlighting the vulnerability of exchanges. Dacoinmaster’s comment, which called out the “poor exchange integration,” led to several responses by major exchanges.
OKEx, one of the top crypto-exchanges by trading volume, released a formal press release to ease customer concerns. It announced that it had contacted SlowMist and is working together to run several examinations on their platform. In the end, the exchange confirmed that it was not affected by the issue.
Dacoinmaster updated the initial comment in response to OKEx’s press release, adding that:
There may be cases when the valid flag is true, but the transaction fails for other reasons. It is important to also check the balance of the receiving account.
Bittrex posted to its Twitter that it was able to process USDT transactions without issue — acknowledging that it follows the “valid” flag as outlined in the Omni integration guide.
You may have seen reports regarding processing issues for USDT transactions. @BittrexExchange is not affected and processing OMNI assets (including Tether) without issue. Bittrex properly handles the “valid” flag mentioned in this integration guide: https://t.co/0oPPfao6ww
— Bittrex (@BittrexExchange) June 30, 2018
With Tether off the hook, this mistake underlines the vulnerability of crypto-exchanges. It reminds those in the cryptocurrency space that, even with reliable blockchain technology, faulty exchanges can lead to major mishaps. Bitcoin saw a drop in value of 4.52 percent the day of the purported double-spend — once again highlighting the fragility of the market.
What do you think of the Tether double-spend report? Let us know in the comments below!
Images courtesy of Shutterstock, Twitter/@SlowMist_Team, @BittrexExchange.
