$4.6M in Filecoin ‘Double Deposited’ on Binance; Exploit Open on Other Exchanges


The very problem Bitcoin’s proof-of-work design was meant to stop just took place on the Filecoin (FIL) network – well, sort of.

According to Filecoin miners at Filfox and FileStar, Filecoin’s network processed a semi-double spend on Wednesday worth millions of dollars. The double spend did not happen on-chain, but Binance credited the miners’ FIL deposit twice due to a “serious bug” in Filecoin’s remote procedure call (RPC) code. 

How To Get Free Crypto  

A “double spend” occurs when the same funds on a blockchain are spent twice; Bitcoin’s proof-of-work algorithm was designed to make this a virtual impossibility. But it appears a bug in Filecoin’s code, a blockchain project for distributed storage built by Protocol Labs, allows users to trick exchanges into accepting a deposit twice.

Related: The Art of Scarcity

“The RPC channel is the information channel for exchanges to verify deposits are legitimate. They don’t verify directly — instead they send a message through the channel saying, ‘Hey, is this guy’s deposit any good?’ And they get a response back from FileCoin’s software saying ‘yes’ or ‘no,’” Bitcoin developer Dustin Dettmer explained in a message to CoinDesk. 

However, he added, the process Filecoin developers gave to exchanges to verify deposits includes a critical flaw that allows users to deposit the same coins repeatedly.

“This allows hackers to write a single check but re-deposit it as many times as they like — similar to how kids, in the arcade, used to tie strings to quarters to play forever using a single coin,” said Dettmer. “Except here the consequences are more drastic, unlimited amounts of real funds could be stolen.”

Coinbase Banner  

The mishap could more correctly be called a “double deposit,” since this bug did not result in a true double spend, and the miners who discovered it believe they have found other instances, as well. 

The Filecoin RBF ‘double deposit’ bug

Related: YouTube Star Jake Paul Reportedly “Discussed” Creating His Own Crypto: Good or Bad Idea?

The Filfox and FileStar mining collective discovered the bug yesterday after accidentally exploiting it. After a 61,000 FIL transaction (worth roughly $4.6 million) to the exchange was taking too long, the team bumped the fee with a “replace-by-fee” (RBF) transaction to speed it up. 

A replace-by-fee transaction takes place when a user broadcasts a new transaction to replace an older, unconfirmed transaction and attaches a higher mining fee to it, with the goal of speeding up its confirmation.

This RBF transaction, however, resulted in the deposit showing up in their Binance account twice, effectively turning 61,000 FIL into 120,000 FIL. The problem is that the second 61k FIL never actually hit Binance’s wallet – Binance was tricked into crediting the deposits twice because of a bug in Filecoin’s RPC codes. The team immediately alerted Binance and Protocol Labs. 

FreeBitcoin Banner  

Essentially, the bug meant that Binance saw both transactions, ignored that they were conflicting and accepted both (for a replace-by-fee transaction, usually, the second, higher fee transaction is considered valid while the first is rejected).

Every exchange with Filecoin trading pairs uses the same `StateGetReceipt` RPC code to process deposits, so the bug is theoretically exploitable on any exchange that trades the token, the team said.

“Protocol Labs suggested that exchanges fetch message receipts from RPC StateGetReceipt, which has a serious bug. When there are two messages with the same sender and same nonce on chain, (which means a double spend), StateGetReceipt returns the same result for both of them,” a Filecoin developer told the mining firms in their correspondence.

Filecoin developers have opened a GitHub issue to work on a fix for the bug.

Deposits for Filecoin at Binance, Huobi and others have been halted as a result, the miners said. CoinDesk has reached out to popular exchanges Binance, Huobi and OKEx to verify these claims, but has not yet received a response.

“The team has investigated the issue and haven’t identified any problems with the Filecoin network. We are confident that there is no double-spend on the blockchain itself. We understand that the exchange in question is reviewing their deposit processing logic to understand what went wrong, and avoid any future issues,” the Filecoin team said in a statement to CoinDesk.

This is a developing story.

Related Stories

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

Go to Source
Author: CoinDesk

Recommended Crypto Services, Products and Strategies:

The first thing any crypto investor needs is is a reliable and secure Crypto Wallet.  Whether you’re looking for an online wallet, hardware wallet, desktop or mobile wallet, Crypto Renegade provides you with all the Best Crypto Wallets in each category.

Best Crypto Wallets Banner

When you’re ready to buy more crypto, or exchange your coins for others, Crypto Renegade’s list of the Best Crypto Exchanges has you covered.  The Crypto Exchanges recommended here offer everything from simplicity and convenience to advanced trading platforms and profit sharing. 

Best Crypto Exchanges Banner

If you want to learn more about the methods and tools that can be used to find Great Crypto Projects, then be sure to check out Crypto Renegade’s strategy for How To Find The Best Cryptocurrency.

Crypto Strategy Banner

For those people that don’t have any money to invest right now, or just want to understand the technology a bit more, you’ll definitely want to check out Crypto Renegade’s Free Crypto Strategy and start collecting Free Coins today!

Free Crypto Banner

What do you think about cryptocurrency? Do you have any questions about it? Be sure to leave a comment below.

This site uses Akismet to reduce spam. Learn how your comment data is processed.