In what seems like the world’s first revenge cryptocurrency transaction, an Australian cryptocurrency firm is being investigated by the police after allegations that it fraudulently used a “software backdoor” to reclaim its digital tokens following a failed business deal.
Cryptocurrency Firm Gone Rogue
As per an Information Security Media Group (ISME) report on June 5, 2018, Soar Labs allegedly scammed its business partner to the tune of $6.6 million. Local authorities highlighted the development as one of the paramount risks of doing business in “an emerging market area that is rife with scams.”
The victim company is Byte Power Party Ltd., a subsidiary of Byte Power Group Ltd. In July 2017, Soar Labs, a blockchain-based wallet service that claims to improve transactional efficiency, launched its ERC20 token, the Soarcoin (SOAR).
Deal Goes Sour
In August 2017, Soar Labs announced that it would purchase a 49 percent holding in Byte Power Party. As per the agreement, the latter was to set up a cryptocurrency exchange in Australia and center much of its business around the SOAR token.
The deal was reportedly valued at $5 million, with most of the payment in SOAR tokens. In total, the cash value of the operation touched $100,000, with the remaining paid 306 million digital tokens valued at $0.016 at the time. On January 4, 2018, Byte Power informed the Australian Stock Exchange (ASX) that over 179.2 million SOAR were “temporarily suspended” due to unspecified reasons.
Soar Labs accused Byte Power on January 2, 2018, about not “selling its Soarcoin at manageable levels,” purportedly to settle the former’s debts and employee salaries. In Byte Power’s defense, selling a holding of hundreds of millions of a thinly-traded token would undeniably cause the price to plunge, and ultimately lead to realized losses.
Additionally, Byte Power launched legal proceedings against Soar Labs in Singapore, claiming “reckless and negligent actions” on the latter’s part and a breach of the agreement.
However, despite the dictum and frozen accounts, Soar Labs withdrew over 214 million SOAR on January 1, 2918, valued at over $ 6.6 million. While this may that seem confusing to many, it did not take much thinking by security experts to ascertain how Soar Lab seemingly withdrew their coins.
Backdoor Business Revealed
Byte Labs revealed:
“The way in which the smart contracts were written allowed [Soar Labs] to remove the coins, which the company itself wasn’t aware of at the time until the coins were actually taken.”
The backdoor code
ISME contacted a UC Berkeley cybersecurity expert, Nicholas Weaver, who has reportedly studied the ecosystem around digital assets since 2013. As ISME claims, it took Weaver “about two minutes” to detect a zero-fee transaction function in SOAR’s smart contract, using which “the owner of the contract could rewrite the balances at will.”
When Soar Labs’ CEO Seth Lim was questioned about the backdoor by ISMG, he stated that it was built on purpose, and the code’s open source nature allowed everyone to view the fallacy. However, this begs the question: why did Soar Labs not notify Byte Power about the backdoor in their deal?
As it stands, Soar Labs holds the private keys that authenticates itself as the smart contract. In case an attacker gains access to these keys, SOAR tokens can be moved around easily by using the zero-fee function. Soar Labs CTO and co-founder, Neo Wenyuan, defended the feature, and stated that the zero-fee function is not intended to be used as a backdoor:
“We wish to reiterate that the zero-fee transaction function is used sparingly and only in exceptional circumstances. For example, we recently assisted a cryptocurrency exchange to recover Soarcoin which a threat actor had attempted to siphon away following a malicious attack on the master node of the exchange.”
Security Audits a Much Needed Feature
Notwithstanding his comments, Weaver believes that the incident reveals a much larger, grimier problem of the cryptocurrency market: Open-source software does not validate its authenticity, and the absence of third-party security audits augments this issue. Weaver added that looking for software backdoors is extremely difficult. However, his computer science background meant he knew precisely which part of the code to scrutinize. The report echoed his sentiment:
“It would be very difficult to find a backdoor in cryptocurrency code. Auditing this requires both a security and an advanced mathematics background, a combination of things that most people simply don’t possess.”
Soar Labs will transfer its 49 percent stake in Byte Power Party to the latter’s parent organization. Additionally, they owe Byte Power $1.7 million in damages and five million Soarcoins to the Byte Party Group and its CEO Alvin Phua.
Although this is an out-of-court settlement, it remains to be seen if the Australian legal authorities will press formal charges against the organization.