Double-spending flaw found in Tether transaction
SlowMist, a Chinese private cybersecurity company, has found a double-spending flaw in tether (USDT), the dollar-backed cryptocurrency, when traded on a particular exchange.
The company said it had been able to send the digital currency to an exchange (which it declined to name) without correct field values on the transaction. This potentially means a transaction can be credited to the receiving counterparty without anything being sent – a double spend, or the risk that a digital currency can be spent twice, or more.
SlowMist posted the transaction error on its Twitter feed on 28 June.
The cybersecurity firm insisted, however, this was not a flaw in the tether currency itself.
It said, again on Twitter: “This vulnerability is not the USDT’s own vulnerability, but some exchange platform databases do not strictly verify the status of the “valid” parameter. Please do not panic.”
交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷，未校验区块链上交易详情中valid字段值是否为true，导致“假充值”，用户未损失任何USDT却成功向交易所充值了USDT，而且这些 USDT 可以正常进行交易。
— SlowMist (@SlowMist_Team) June 28, 2018
Omni, the blockchain platform on which tether was created, responded by saying the fault was due to an exchange not checking the “valid” flag on transactions.
“Unless I am missing something, this is just poor exchange integration,” Tom McLeod, the Omni founder, posted on Reddit.
He added: “There may be cases when the valid flag is true, but the transaction fails for other reasons. It is important to also check the balance of the receiving account, as described in the best practices document.”
Meanwhile, Hong Kong-based OKeX, the world’s second-largest cryptocurrency exchange, said it was aware of the double-spend vulnerability and that it was not exposed to the problem.
“After being aware of the loophole, we immediately contacted Slow Mist to further understand the issue and performed a series of examinations. We confirmed that our platform is not affected by this issue,” the exchange said on its website.
It was the only exchange, at the time of publish, that OpenLedger could find a response from. We will update if further exchanges add their views.