Bitfinex's LEO Smart Contract Unusual Code: An Intentional Move to Defraud?
A software “Bug” was discovered recently in the Bitfinex Smart Contract for its LEO token. The bug grants any holder of the LEO token unusual levels of administrative privilegdes. Such priviledges are entirely unusual, though errors in smart contracts has been seen before, this is the first time these types of concerns has been raised concerning smart contracts codes.
Softwares are always with bugs. No matter how much care is put into writing the codes and rechecking, codes are written by humans who unintentionally make mistake. Mistakes which could cause untold damages financially and in other areas of life. In financial applications or softwares, one tiny vulnerability could allow bad actors to take undue advantages of systems and do what they are good for. Damage.
The Bitfinex ERC-20 smart contract code contains permission to enable owners of the Token to mint unlimited new tokens, they also have to ability to delete tokens of other people both in their personal wallets irrespective of the type of wallet. LEO owners are empowered via the vulnerability in the Bitfinex smart contract code to delete anyone’s coins both in centralized and decentralized exchanges.
Bitfinex, one of the world top cryptocurrency exchange was in the news some months ago and for a long time now owing to its shady behaviours as an exchange and also by its relationship to the stable coin Tether (USDT). Owing to financial challenges it was having since its funds were frozen, the embattled cryptocurrency exchange decided to host an Initial Exchange Offering were it aimed at raising xx billion dollars. A move which saw some reactions, however, the exchange later announced it has raised sufficient funds via other means and thus there will be no public sales of the LEO tokens.
In a tweet by the CTO of Bitfinex and Tether Paolo Ardoino, which was a reply to the call out made on the Bitfinex exchange, it appears this “bug” wasn’t in fact one rather it was coded into the contract with Paolo saying “For security and future reasons we left the ability to upgrade the Token Contract. That’s really a key feature for a contract that might live lot of years. Minting more tokens would not just make sense for Finex…like shooting our foot.”
In reaction to this, some twitter users were expressing their opinion on the issue.
6/7 Blockchain and smart contracts need to be trustless. Bitfinex breaks trust here by putting “evil” and “scammy” code here which allows them to cheat and have an unfair advantage over people like you and me.
— Bi od (@heybiod) July 1, 2019
Why does this matter? If you hold leo you trust bitfinex anyway. In fact it protects leo holders because if there was a bug in the smart contract bfx would quickly be able to fix it.
— Matt (@thinkingGBP) July 2, 2019
"Minting more tokens" why have that option in the first place then?
— Gwened (@BroGwened) July 2, 2019
With its reputation in times past, the Bitfinex exchange has a whole lot to contend with at this time however, this revelation presents an important reminder to everyone in cryptospace to not just Trust but Verify.