Controversial stablecoin Tether faced allegations of a double spend attack on May 30, 2018, after a Chinese cybersecurity firm revealed findings of a code audit. However, additional reports suggest the contrary.
Tether’s Neverending Controversy
SlowMist, the blockchain security firm which made the original claim, confirmed in a tweet on June 28, 2018, the code vulnerability was due to exchange integration rather than an innate security flaw in Tether’s protocol.
In June 2018, Xiamen-based SlowMist claimed in a WeChat post that cryptocurrency exchanges need to verify a “true” transaction when processing trades on their portal, the absence of which may cause the dreaded “double-spend attack.”
SlowMist released information of an exchange user exploiting the vulnerability in a post on Twitter, with a snapshot of a blurred transactional statement. As alleged, the user could illegitimately add USDT value on the exchange, without the equivalent USD backing for it.
交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷，未校验区块链上交易详情中valid字段值是否为true，导致“假充值”，用户未损失任何USDT却成功向交易所充值了USDT，而且这些 USDT 可以正常进行交易。
— SlowMist (@SlowMist_Team) June 28, 2018
For the uninitiated, a double-spend attack occurs when blockchain miners successfully gain a majority hashrate on a protocol and create a private block to confirm fraudulent transactions.
SlowMist Rectifies Confusion
As cryptocurrency users and observers understandably panicked after the announcement, SlowMist was quick to follow-up with a tweet to prevent a long-lasting rumor.
The security firm confirmed –
Corrected a bit to explain: This vulnerability is not the USDT's own vulnerability, but some exchange platform' databases do not strictly verify the status of the "valid" parameter.
Please do not panic.
— SlowMist (@SlowMist_Team) June 29, 2018
When adding a coin to their trading portfolio, cryptocurrency exchanges integrate a digital currency on their servers, unlike traditional markets when the bond or equity is directly traded from a centrally-run clearinghouse. Reportedly, exchanges are offered guides by companies to ensure a smooth transition and avoid any issues.
Regardless, any adverse development of Tether is bound to add to the industry’s nervousness of the firm. The cryptocurrency community questions Tether’s opaque “printing process,” as the firm is known to seemingly issue hundreds of millions in USDT without proving their fiat backup.
A research paper in June 2018 suggested the stablecoin was solely used to manipulate the cryptocurrency market’s euphoric bull run in December 2017.
Exchanges Clear Names
After SlowMist caused considerable concerns in the market with their tweet, several cryptocurrency exchanges announced their exposure to the threat.
“It appears that what happened here is that an exchange wasn’t checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second ‘double spend’ transaction had valid=true, which they also accepted. This is just poor exchange integration.”