Adding further controversies around Tether, a Chinese private cybersecurity firm SlowMist has found a double-spending vulnerability in Tether (USDT). Post SlowMist tweet, Omni founder has also reverted back giving an explanation of what went wrong.
交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷，未校验区块链上交易详情中valid字段值是否为true，导致“假充值”，用户未损失任何USDT却成功向交易所充值了USDT，而且这些 USDT 可以正常进行交易。
— SlowMist (@SlowMist_Team) June 28, 2018
SlowMist states in a tweet that they were able to send USDT to an unnamed exchange without correct field values on the transaction. The revelation has been worth noticing at that meant individuals may be credited for tokens without actually having sent them, leading to a double spend. It also asked the relevant exchange should suspend USDT recharge function as soon as possible, and self-examination code whether there is this logic flaw.
“The exchange in the USDT recharge transactions to confirm the success of a logical flaw in the transaction details on the blockchain valid field value is true, resulting in “pretend value”, the user has not lost any USDT but successfully recharge the exchange USDT, and these USDT can be normal transactions.”
Omnilayer – USDT provides an explanation
Following the tweet from SlowMist, a founder of OmniLayer, the platform on which USDT was created, offered an explanation to the error. According to him, it was the exchange that accepted the transaction without checking the valid flag which leads to double spending.
He took reddit to reply which could be quoted as
“I designed Omni so that to double-spend an Omni asset, you would have to double-spend bitcoin. If I’m translating this correctly, it appears that what happened here is that an exchange wasn’t checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second “double spend” transaction had valid=true, which they also accepted. Unless I am missing something, this is just poor exchange integration.”
There was another explanation, a more elaborate one, provided by a maintainer and developer of Omni Core, the reference client for the Omni Layer. According to him
“ This is in no protocol vulnerability, but rather a poor handling of incoming token payments, if this was indeed exploited in the wild. As far as we know, there was an integrator, which hasn’t checked the valid flag at all, and simply credited the tokens, without ensuring and checking, whether they were actually transferred.”
He further added that
“The reference client of the Omni Layer, Omni Core, doesn’t credit any tokens from invalid transactions, while the JSON-RPC API still provides information about such a transaction, but clearly indicates, whether the transaction is valid. In such a case the result also has an “invalidreason” field, which provides explicit information about why the transaction is considered invalid, e.g. in case of not enough balance.”
In likes of these allegations and explanations, OKEx circulated to its customers that exchange is NOT exposed to the vulnerability. It also assured that all the assets are safe with the exchange.
With these vulnerabilities exposed, there are again questions raised about the security measures that exchanges are taking. Such lapses are making the investors jittery and most of them happen to be selling cryptocurrencies because of these reasons.
Will the exchanges work towards patching these vulnerabilities to gain the confidence of investors back? Do let us know your views on the same.