SlowMist Cybersecurity Firm Confirms Tether (USDT) Double Spending Vulnerability

Chinese private cybersecurity firm Slowmist just confirmed the double-spending vulnerability in Tether.

交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷，未校验区块链上交易详情中valid字段值是否为true，导致“假充值”，用户未损失任何USDT却成功向交易所充值了USDT，而且这些 USDT 可以正常进行交易。
我们已经确认真实攻击发生！相关交易所应尽快暂停USDT充值功能，并自查代码是否存在该逻辑缺陷。 pic.twitter.com/EPzZIsZFzH

— SlowMist (@SlowMist_Team) June 28, 2018

The translation reads,

“The exchange in the USDT recharge transactions to confirm the success of a logical flaw in the transaction details on the block chain valid field value is true, resulting in “pretend value”, the user has not lost any USDT but successfully recharge the exchange USDT, and these USDT can be normal transactions. We have confirmed that the real attack happened! The relevant exchange should suspend USDT recharge function as soon as possible, and self-examination code whether there is this logic flaw.”

According to CryptoMedication, the double-spend vulnerability carries serious implications as “it is possible that this could have been exploited ad infinitum.” CryptoMedication adds that it “seems to be an exchange problem… more so than a Tether issue…”

However, Omni founder said on Reddit:

“It appears that what happened here is that an exchange wasn't checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second “double spend” transaction had valid=true, which they also accepted. Unless I am missing something, this is just poor exchange integration.”

Even, OKEx said in a Press Release that they have not been exposed to the vulnerabilities of Tether, which seems to a reiteration of the previous point.