Tether Exchange Vulnerability Raises Security Concerns, New Research Suggests USDT Wash Trading on Kraken
This week, US-Dollar pegged stablecoin Tether once again captured cryptocurrency community attention for the wrong reasons with poorly-implemented Tether exchange integration resulting in the successful execution of a double spend.
Tether’s tenuous relationship with the cryptocurrency market has been further stressed by an in-depth investigation into USDT movement on Kraken that experts labeled as “indicative of wash trading.”
Concern regarding the integrity of Tether code was sparked on June 28, 2018, when Chinese blockchain cybersecurity company SlowMist posted a tweet evidencing a potential security vulnerability exploit used to execute a double spend:
交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷,未校验区块链上交易详情中valid字段值是否为true,导致“假充值”,用户未损失任何USDT却成功向交易所充值了USDT,而且这些 USDT 可以正常进行交易。
我们已经确认真实攻击发生!相关交易所应尽快暂停USDT充值功能,并自查代码是否存在该逻辑缺陷。 pic.twitter.com/EPzZIsZFzH— SlowMist (@SlowMist_Team) June 28, 2018
Translated, the tweet reveals that by sending a transaction to an unnamed exchange without entering correct field values on a transaction, a user was able to successfully execute a double spend. JR Willett, the founder of OmniLayer — the platform upon which Tether was built — commented on the exploit via Reddit, providing an explanation of the vulnerability:
“It appears that what happened here is that an exchange wasn’t checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second “double spend” transaction had valid=true, which they also accepted.”
The double spend, according to Willett, occurred not due to a flaw in the Tether code, but instead with the exchange itself, which failed to integrate Tether in a secure manner:
“Unless I am missing something, this is just poor exchange integration.”
Tether Releases Statement, Exchanges Respond
Tether was quick to assuage fears that the code that drives the USDT token secure, taking to Twitter to post an update denying culpability for the exploit:
Yesterday's #USDT issue was related to the implementation logic of a specific exchange and not with either Tether or the OMNI Protocol.
Please refer to the following guide for OMNI core integration best practises: https://t.co/SSgKBGrIeL https://t.co/TJZLrFP9ZI
— Tether (@Tether_to) June 29, 2018
OKEx issued a public statement subsequent to the SlowMist announcement, notifying users that the exchange is aware of the loophole and is not exposed, shedding light on the method through which the exploit is executed:
“When a digital asset exchange is processing a USDT deposit, it may fail to verify if the validity of the transaction is “true”. So, a user’s account can be credited with USDT, even if the deposit failed, and the user will be able to trade with the tokens credited.”
New Analysis Hints Toward Suspicious USDT Activity
While the small-scale double spend controversy appears to stem from a minor exchange implementation issue, a new study released by Bloomberg on Tether trading activity on popular cryptocurrency exchange Kraken may have far more serious implications.
Published via Bloomberg by a group of analysts on June 29, the analysis examined Kraken order book data that consisted of 56,000 trades between May 1 and June 22, revealing several data points that market experts have highlighted as potentially indicative of wash trading.
The impact of wash trading and unscrupulous liquidity management techniques within the cryptocurrency market is a pressing issue in the current crypto ecosystem. The Bloomberg study, performed with assistance from New York University Professor Rosa Abrantes-Metz and former Federal Reserve bank examiner Mark Williams, found several “red flags” associated with market manipulation.
Strangely specific order sizes extending to over 5 decimal places occurred frequently within the dataset examined by the investigative team, a factor that causes Abrantes-Metz and Williams to “suspect that such numbers could be signals to cheaters’ automated trading programs — triggering automated wash trading.
Williams commented on the suspicious nature of transactions expressing a fifth decimal point:
“Many of the trade amounts are frequently occurring to the fifth decimal point, a unique identifier which increases the probability it is being generated by the same person or entity,”
The University of Texas Professor John Griffin, who published a study on USDT-assisted Bitcoin price manipulation that shook the cryptocurrency market last month stated that the data provided by the study was “suggestive of wash trading” in an interview with Bloomberg:
“Not sure what the motivation is. The more I looked into it, the more sketchy it seemed … No human would enter that order. It doesn’t make sense.”
Kraken Chief Executive Officer Jesse Powell, however, denies that the exchange has any involvement with Tether-related market manipulation in a statement issued to Bloomberg:
“Nothing looks out of place to us in our publicly available data feed.”