Double spending is simply the risk that a digital currency can be spent twice. This problem has been particularly relevant to digital currencies because digital information can be reproduced relatively easily. Although digital currencies existed before Bitcoin, the primary innovation that Bitcoin brought to the world was a way to solve the double spending problem using blockchain.
Yesterday, a Chinese cyber security firm called ‘SlowMist’ identified a double spending vulnerability in the stable coin Tether (USDT).
Upon investigating, SlowMist recognized that they could send USDT to an unnamed exchange without the correct field values inputted in the transaction, meaning that users could be credited for tokens on the exchange without having to actually send them. This would lead to double spending.
交易所在进行USDT充值交易确认是否成功时存在逻辑缺陷，未校验区块链上交易详情中valid字段值是否为true，导致“假充值”，用户未损失任何USDT却成功向交易所充值了USDT，而且这些 USDT 可以正常进行交易。
— SlowMist (@SlowMist_Team) June 28, 2018
Craig Sellars, the Founder of Omni Layer (the protocoal behind Tether USDT) later responded to this discovery:
“It appears that what happened here is that an exchange wasn’t checking the valid flag on transactions. They accepted a transaction with valid=false (which they should not have), and then the second “double spend” transaction had valid=true, which they also accepted. Unless I am missing something, this is just poor exchange integration.”
Although this appears to primarily be an exchange problem, Tether has frequently been in the news for other controversial reasons. Most recently, they issued another $250 million in new tokens, raising many to question whether they were really still backed 1-to-1 with US Dollar reserves.
However, a double spending controversy arguably has for more serious implications, as it means the loophole could potentially be exploited without limitations.
People could make false transactions that an exchange would register as true, granting them tokens they never had to hold (in other words, their money would literally come from air).
Any exchange caught involved in this mishap could seriously damage its reputation as result of fault record keeping created by double spending incidents. In the meantime, OKEx, the second largest exchange also put out a statement clarifying to users that they had performed the necessary tests when been notified of the news and confirmed that they are not exposed to any damage.
The anonymous exchange, which is involved in this incident, should be relieved that they were not exposed, and have been taking all measures necessary to rectify the situation before any significant vulnerability ensues.