Bitfinex LEO Token Owners can Mint Unlimited New Tokens & Delete Anyone’s LEO Tokens: Research Reveals
- The research firm Cointelligence found scammy abilities in the Bitfinex LEO ERC20 Contract Code
- This reveals LEO token mechanism isn’t fair, inclusive, censorship-resistant or decentralized but Bitfinex CEO, Paolo Ardino says, the ability to upgrade the Token Contract is for security reasons
Introduced on May 10, 2019 by iFinex Inc. Bitfinex’s USDT LEO had a successful token sale (IEO) of $1 billion despite the exchange having a tumultuous start of the year. This ERC20 token is issued by Unus Sed Leo Limited, a subsidiary of iFinex Inc.
But according to a recent audit by Cointelligence, Unus Sed Leo, the smart contract code of the token has scammy abilities. It states, the token owner can mint unlimited new tokens and also delete anyone’s coins whether on a centralized or decentralized exchange, hardware or software wallet, or held in hot or cold storage.
The firm deployed the Etherscan code on the Ropsten testnet to expose its smart contract.
Ability to Print Quadrillion LEO Tokens
The researcher finds that the contract owner can change the “controller” at any point of time through line 698. Once the controller address is changed to a wallet address or even a new smart contract, they could simply execute “generateTokens” on line 460 to print unlimited tokens, reports Cointelligence.
It’s worth noting that the LEO whitepaper doesn't mention the maximum token supply which allows them to keep on printing LEO tokens.
The research firm was, in fact, able to “print a quadrillion LEO tokens on a testnet using their code.”
iFinex can Destroy Anybody’s LEO Tokens
Not just fresh unlimited tokens, the LEO token owner can delete tokens as well. The function “destroyTokens” on 477 enables the LEO controlled wallet to burn anyone’s LEO tokens. This is not limited to only centralized exchange but anywhere including decentralized exchange, hot wallet, cold wallet, paper or brain wallet, or a hardware or software wallet.
“It doesn’t matter where your coins are, they can delete your coins if they want to. As simple as that.”
During the research, the firm itself was able to successfully delete/destroy/burn ten billion tokens from someone’s wallet, the address they didn’t own.
Security Measure or Flaw?
These issues found in the LEO tokens smart contract clearly identifies its scammy abilities, however, according to Paolo Ardoino, CTO of Bitfinex, its for security reasons.
“For security and future proof reasons we left the ability also to upgrade the Token Contract. That’s really a key feature for a contract that might live lot of years. Minting more tokens would just not make sense for Finex… like shooting our foot. “
The fact that this reveals LEO token system is not fair, inclusive, censorship-resistant or decentralized clearly points out it does not adhere to the decentralized economy, the crypto industry is working towards.