Tether Code Flaw Rumors Turn out to be Exchange Integration Flaw


Rumors surfaced yesterday that claimed the code for Tether’s stable-currency, USDT, had a flaw that allowed it to be double spent if exploited.

The rumors were found to be entirely false, and it now appears that the double spend issue is the result of an exchange integration flaw.  The falsity of the rumors was confirmed by blockchain security group Slow Mist as well as Tether themselves.  

The rumors were originally propagated by Slow Mist, a Chinese security firm, who explained the perceived vulnerability in a lengthy Twitter post.  The firm explained that they were able to send USDT to an undisclosed cryptocurrency exchange by entering false field values in the transaction. This vulnerability would allow individuals to be credited tokens without actually sending any USDT to pay for them.  

Their tweet caused a significant amount of fear amongst the cryptocurrency community, which is on edge after all the potential issues surrounding USDT and Tether.  If found to be true, the double-spend malfunction would have been impactful to the markets. 

Shortly after Slow Mist sent the tweet, the founder of OmniLayer, the platform upon which USDT was developed, explained the malfunction, saying:

“It appears that what happened here is that an exchange wasn’t checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second “double spend” transaction had valid=true, which they also accepted. Unless I am missing something, this is just poor exchange integration.”

Tether also released a statement to several news organizations, saying:

“Rather, it was due to a faulty integration of Tether at the exchange level. While we can't exercise much control over how exchanges execute the integration process, we've provided integration guides in this instance to help solve the issue and will continue to assist any other exchanges in their USDT integration processes."

Slow Mist later released a follow up statement, confirming that the issue they originally thought to be the fault of Tether was in fact an issue with the exchange’s integration of the USDT protocol. 

 "There was no Tether vulnerability [itself], but rather poor handling of incoming transactions. We have updated Twitter to explain this issue. We are sorry to say that the previous description did not express clearly," the security company said.

Several exchanges, including OKEx and ZB.com, confirmed that they were unaffected by this issue.