The very problem Bitcoin’s proof-of-work design was meant to stop just took place on the Filecoin (FIL) network – well, sort of.
According to Filecoin miners at Filfox and FileStar, Filecoin’s network processed a semi-double spend on Wednesday worth millions of dollars. The double spend did not happen on-chain, but Binance credited the miners’ FIL deposit twice due to a “serious bug” in Filecoin’s remote procedure call (RPC) code.
A “double spend” occurs when the same funds on a blockchain are spent twice; Bitcoin’s proof-of-work algorithm was designed to make this a virtual impossibility. But it appears a bug in Filecoin’s code, a blockchain project for distributed storage built by Protocol Labs, allows users to trick exchanges into accepting a deposit twice.
Related: The Art of Scarcity
“The RPC channel is the information channel for exchanges to verify deposits are legitimate. They don’t verify directly — instead they send a message through the channel saying, ‘Hey, is this guy’s deposit any good?’ And they get a response back from FileCoin’s software saying ‘yes’ or ‘no,’” Bitcoin developer Dustin Dettmer explained in a message to CoinDesk.
However, he added, the process Filecoin developers gave to exchanges to verify deposits includes a critical flaw that allows users to deposit the same coins repeatedly.
“This allows hackers to write a single check but re-deposit it as many times as they like — similar to how kids, in the arcade, used to tie strings to quarters to play forever using a single coin,” said Dettmer. “Except here the consequences are more drastic, unlimited amounts of real funds could be stolen.”
The mishap could more correctly be called a “double deposit,” since this bug did not result in a true double spend, and the miners who discovered it believe they have found other instances, as well.
The Filecoin RBF ‘double deposit’ bug
Related: YouTube Star Jake Paul Reportedly “Discussed” Creating His Own Crypto: Good or Bad Idea?
The Filfox and FileStar mining collective discovered the bug yesterday after accidentally exploiting it. After a 61,000 FIL transaction (worth roughly $4.6 million) to the exchange was taking too long, the team bumped the fee with a “replace-by-fee” (RBF) transaction to speed it up.
A replace-by-fee transaction takes place when a user broadcasts a new transaction to replace an older, unconfirmed transaction and attaches a higher mining fee to it, with the goal of speeding up its confirmation.
This RBF transaction, however, resulted in the deposit showing up in their Binance account twice, effectively turning 61,000 FIL into 120,000 FIL. The problem is that the second 61k FIL never actually hit Binance’s wallet – Binance was tricked into crediting the deposits twice because of a bug in Filecoin’s RPC codes. The team immediately alerted Binance and Protocol Labs.
Essentially, the bug meant that Binance saw both transactions, ignored that they were conflicting and accepted both (for a replace-by-fee transaction, usually, the second, higher fee transaction is considered valid while the first is rejected).
Every exchange with Filecoin trading pairs uses the same `StateGetReceipt` RPC code to process deposits, so the bug is theoretically exploitable on any exchange that trades the token, the team said.
“Protocol Labs suggested that exchanges fetch message receipts from RPC StateGetReceipt, which has a serious bug. When there are two messages with the same sender and same nonce on chain, (which means a double spend), StateGetReceipt returns the same result for both of them,” a Filecoin developer told the mining firms in their correspondence.
Filecoin developers have opened a GitHub issue to work on a fix for the bug.
Deposits for Filecoin at Binance, Huobi and others have been halted as a result, the miners said. CoinDesk has reached out to popular exchanges Binance, Huobi and OKEx to verify these claims, but has not yet received a response.
“The team has investigated the issue and haven’t identified any problems with the Filecoin network. We are confident that there is no double-spend on the blockchain itself. We understand that the exchange in question is reviewing their deposit processing logic to understand what went wrong, and avoid any future issues,” the Filecoin team said in a statement to CoinDesk.
This is a developing story.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
Go to Source