Crypto Currency News
Ethereum Classic

$ 4.6 million in Filecoin ‘Double Deposited’ on Binance; Exploit Open on Other Exchanges

The real problem that Bitcoin’s proof-of-work design was supposed to end up with was just taking place on the Filecoin (FIL) network – well, kind of.

According to Filecoin miners at Filfox and FileStar, Binance processed a “double deposit” from FIL worth several million dollars on Wednesday. This is not a true double issue in the chain, but Binance did credit the miners’ Filecoin account twice after making a deposit due to a “fatal error” in the Filecoin RPC (Remote Procedure Call) code.

“Double spending” occurs when the same funds are spent twice on a blockchain. Bitcoin’s proof-of-work algorithm was designed to make this a virtual impossibility. However, it appears that the RPC codes for Filecoin, a blockchain distributed storage project created by Protocol Labs, have a bug where users can trick exchanges into accepting a deposit twice.

Connected: Bitcoin IRA reports that customers have invested over $ 100 million in the IRA earn program

“The RPC channel is the information channel for exchanges to verify that deposits are legitimate. They don’t check directly. Instead, they send a message over the channel, “Hey, is this guy’s deposit good?” And they get a response from FileCoins Software that says “yes” or “no”, “Bitcoin developer Dustin Dettmer explained in a message to CoinDesk.

However, he added that the process that Filecoin developers have been using when exchanging to verify deposits contains a critical flaw that allows users to deposit the same coins repeatedly.

“That way, hackers can write a single check but deposit it again as many times as they want – much like the way kids tied strings to quarters in the amusement arcade to play forever with a single coin,” said Dettmer. “Except here the consequences are more drastic. Unlimited amounts of real money could be stolen. “

The mishap could more correctly be called a “double deposit” as this error did not result in a true double spending, and the miners who discovered it believe they have found other cases as well.

The Filecoin RBF “Double Deposit” error

Connected: Tau Protocol Debuts Hashrate Token Use for Bitcoin Rewards

The mining collective Filfox and FileStar discovered the bug on Wednesday after it was accidentally exploited. After a 61,000 FIL transaction (valued at roughly $ 4.6 million) took too long, the team kicked the fee with a replace-by-fee (RBF) transaction to speed it up.

A fee-for-replacement transaction occurs when a user submits a new transaction to replace an older, unconfirmed transaction and attaches a higher mining fee to it to expedite confirmation.

However, this RBF transaction resulted in the deposit showing up on their Binance account twice, effectively converting FIL 61,000 into FIL 120,000. The problem is that the second 61k-FIL never really hit Binance’s wallet – Binance was tricked into crediting the deposits twice due to a bug in Filecoin’s RPC codes. The team immediately alerted Binance and Protocol Labs.

Essentially, the error meant that Binance saw both transactions, ignored that they were in conflict, and accepted both (for a transaction by replace with fee, usually the second transaction with a higher fee is considered valid while the first is rejected).

Every exchange with Filecoin trading pairs uses the same RPC code “StateGetReceipt” to process deposits. Therefore, in theory, the flaw can be exploited on any exchange where the token is traded, the team said.

“Protocol Labs suggested that the exchange get message fetches from RPC StateGetReceipt, which has a fatal error. If there are two messages in the chain with the same sender and the same nonce (which means double spending), StateGetReceipt will return the same result for both, ”a Filecoin developer told mining companies in their correspondence.

Filecoin deposits in Binance, Huobi and other countries were then suspended, the miners said. CoinDesk has reached out to popular exchanges Binance, Huobi, and OKEx to verify these claims, but has only heard from Binance, who said FIL deposits “resumed” starting March 19, 2021 at 00:45 UTC and the systems are back to normal “.

Filecoin developers opened a GitHub issue to work on a fix, and the team posted a post-mortem issue in case the issue arises. In correspondence with CoinDesk, they denied that the bug was due to an RPC bug, claiming instead that it was due to “misunderstandings” and “abuse” at Binance.

“There is no RPC error. The problem resulted from the incorrect use of APIs from the exchange in question. We don’t know of any other exchange that made a similar mistake, ”said Filecoin’s team. “The team will work with exchanges to review their deposit mechanism and avoid future problems.”

FIL fell 4.5% on the day.

This is a developing story.

Updated Thursday, March 18, 2021, 21:57 UTC: Additional comments from the Filecoin team have been added and changes made to clarify that the exploit was a “double deposit” on Binance and not a “double spending” in the chain.

Updated Thursday, March 19, 2021, 1:35 p.m .: comments from Binance added.

similar posts

The views and opinions expressed are those of the author and do not necessarily reflect those of Nasdaq, Inc.

Comments are closed.