Tether’s Vulnerability Exposed
A recent investigation by AMLBot has shed light on a serious delay in Tether’s freezing process for USDT held by malicious users, revealing that at least $78 million has been siphoned off due to this inefficiency. The report indicates that the enforcement of on-chain freezes is not as swift as one might expect, creating a significant loophole for criminals to exploit.
The Core Issue
The crux of the problem lies in Tether’s multi-signature contract, which requires multiple approvals before a freeze can be executed. This procedural requirement results in a gap of time during which illicit actors can transfer USDT to evade restrictions. For instance, an unacceptable delay of 44 minutes was noted between the freeze request and its execution on the Tron network, during which $49.6 million has been lost to wrongdoers since 2017.
“4.88% of the wallets blacklisted due to their supposed illegal activities capitalized on this delay, conducting up to three transactions while the freeze request lingered.”
Financial Impact Across Networks
On Ethereum, the total amount withdrawn by malevolent entities reached $28.5 million during the same period, contributing to a combined loss of $78.1 million across both blockchain networks. PeckShield, another cybersecurity firm, has corroborated the existence of this vulnerability but clarified that it stems from operational aspects rather than an inherent flaw in the contract itself.
Recommendations for Improvement
PeckShield advocates for significant improvements to address the timing issues stemming from the multi-signature approval process. They suggest that Tether could streamline the process by bundling freeze requests with the necessary signatures, thus closing the exploitable gap.
Responses from Tether
Tether, the firm behind the most widely used stablecoin, USDT, reports and blacklists addresses suspected of involvement in illegal activities, including transactions linked to high-profile hacks. Although those blacklisted cannot transfer their tokens, the apparent delay in freezing addresses has led AMLBot’s CEO, Slava Demchuk, to assert that nefarious actors are likely developing automated monitoring tools to take advantage of this operational lag.
“These bots may alert criminals to the moment when a freeze request is submitted, allowing them to move their funds before the freeze is activated.”
As of now, Tether has not responded to requests for comment from Decrypt, but updates will follow once a statement is provided.
