Due to a bug in the Filecoin wallet’s remote procedure call (RPC), Binance processed a “double” deposit. As a result of the repeated transaction, the user’s account received 122,000 FIL instead of 61,000 FIL.
Filecoin miners reported that sending a “replacement” transaction resulted in FIL coins being credited to the user’s exchange wallet twice the amount they sent. This was due to a bug in the Remote Procedure Call (RPC) code of the Filecoin wallet. The error did not lead to a real “double spend” in the blockchain, that is, the consensus was not broken. The double enrollment was due to “excess trust” on the part of Binance.
Bitcoin developer Dustin Dettmer explained that RPC is an information channel for exchanges through which they can verify the “legitimacy” of a deposit. However, the exchanges do not do this directly, but inquire about the admissibility of the deposit through the channel. The FileCoin wallet program gives them a positive or negative response. This deposit verification process has a serious drawback that allows you to deposit the same coins multiple times.
“Despite just one check, hackers can make deposits as many times as they want. It can be compared to tying money to a string to play slot machines forever using the same coin. In our case, the consequences are more dramatic. Hackers can steal unlimited real money, ”Dettmer said. Filecoin miners discovered this problem by accident. The 61,000 FIL (about $ 4.6 million) transaction was taking too long, so they decided to execute the transaction with a “replace-by-fee” (RBF) feature.
In this case, the user can replace the old transaction with a new transaction by charging a higher fee to speed up the confirmation of the transaction. Usually, when the commission is changed, the first transaction is rejected, and the second transaction with the higher commission is considered valid.
However, instead of this, the deposit was re-credited, and a double amount appeared on the user’s address – 122,000 FIL. A bug in the RPC codes tricked Binance – the exchange saw both transactions and ignored their conflict, accepting both transactions. Miners immediately notified Binance and Filecoin developer Protocol Labs. Each exchange that trades Filecoin cryptocurrency uses the same RPC code, StateGetReceipt, to process deposits.
Therefore, theoretically, such errors could occur on any sites that do not require a sufficient number of confirmations in the blockchain for the deposit to be credited. The Filecoin developers have opened a discussion on this issue on GitHub. They deny the existence of bugs in the RPC code and claim that the problem arose from Binance.
However, some exchanges have suspended deposits in the FIL cryptocurrency. As a reminder, the launch of the Filecoin mainnet took place on October 15, 2020. The platform is powered by the InterPlanetary File System (IPFS), allowing users to trade unused storage volumes using the FIL cryptocurrency.
