$4.6M in Filecoin 'Double Deposited' on Binance; Exploit Open on Other Exchanges

The very problem Bitcoin’s proof-of-work design was meant to stop just took place on the Filecoin (FIL) network – well, sort of.

According to developers at Filfox and FileStar, Binance processed a "double deposit" of FIL on Wednesday worth millions of dollars. This is not a true, on-chain double spend, but Binance credited the account for filecoin miner 6Block (the parent of Filfox and Filestar) twice for one deposit due to a “serious bug” in Filecoin’s remote procedure call (RPC) code. 

A “double spend” occurs when the same funds on a blockchain are spent twice; Bitcoin’s proof-of-work algorithm was designed to make this a virtual impossibility. But it appears that the RPC codes for Filecoin, a blockchain project for distributed storage built by Protocol Labs, feature a flaw where users can trick exchanges into accepting a deposit twice.

“The RPC channel is the information channel for exchanges to verify deposits are legitimate. They don’t verify directly. Instead, they send a message through the channel saying, ‘Hey, is this guy’s deposit any good?’ And they get a response back from their Filecoin node saying ‘yes’ or ‘no,’” Bitcoin developer Dustin Dettmer explained in a message to CoinDesk. 

However, he added, the process Filecoin developers gave to exchanges to verify deposits includes a critical flaw that allows users to deposit the same coins repeatedly.

“This allows hackers to write a single check but re-deposit it as many times as they like – similar to how kids, in the arcade, used to tie strings to quarters to play forever using a single coin,” said Dettmer. “Except here the consequences are more drastic. Unlimited amounts of real funds could be stolen.”

The mishap could more correctly be called a “double-deposit” because this bug did not result in a true double-spend, and the miners who discovered it believe they have found other instances as well. 

The 6Block collective discovered the bug Wednesday after accidentally exploiting it. After a 61,000 FIL transaction (worth roughly $4.6 million) to the exchange was taking too long, the team bumped the fee with a “replace-by-fee” (RBF) transaction to speed it up. 

A replace-by-fee transaction takes place when a user broadcasts a new transaction to replace an older, unconfirmed transaction and attaches a higher mining fee to it, with the goal of speeding up its confirmation.

This RBF transaction, however, resulted in the deposit showing up in their Binance account twice, effectively turning 61,000 FIL into 120,000 FIL. The problem is the second 61k FIL never actually hit Binance’s wallet – Binance was tricked into crediting the deposits twice because of a bug in Filecoin’s RPC codes. The team immediately alerted Binance and Protocol Labs. 

Essentially, the bug meant Binance saw both transactions, ignored that they were conflicting and accepted both (for a replace-by-fee transaction, usually, the second, higher fee transaction is considered valid while the first is rejected).

Every exchange with Filecoin trading pairs uses the same "StateGetReceipt" RPC code to process deposits, so the bug is theoretically exploitable on any exchange that trades the token, the team said.

"Protocol Labs suggested that exchanges fetch message receipts from RPC StateGetReceipt, which has a serious bug. When there are two messages with the same sender and same nonce on-chain, (which means a double-spend), StateGetReceipt returns the same result for both of them,” a Filecoin developer told the mining firms in their correspondence.

Deposits for Filecoin at Binance, Huobi and others have been halted as a result, the miners said. CoinDesk has reached out to popular exchanges Binance, Huobi and OKEx to verify these claims, but only heard back from Binance, who said that FIL deposits "resumed as of March 19, 2021 at 00:45 UTC and systems are back to normal."

Filecoin developers have opened a GitHub issue to work on a fix and the team has published a post-mortem if the issue. In correspondence with CoinDesk, they denied that the flaw resulted from an RPC error and instead claimed it originated from "misunderstanding" and " misuse" on Binance’s end. 

"There is no RPC bug. The issue resulted from incorrect usage of APIs from the exchange in question. We do not know of any other exchange that has made a similar mistake," Filecoin's team said. "The team will work with exchanges to audit their deposit mechanism to avoid future issues."

FIL is down 4.5% on the day.

This is a developing story.

Updated Thursday, March 18, 2021, 21:57 UTC: Additional comments from Filecoin team added and edits made to clarify that the exploit was a "double deposit" on Binance, not a "double spend" on-chain.

Updated Thursday, March 19, 2021, 13:35: Comments from Binance added.