In brief
-
A delay between the request to freeze an address and its on-chain execution for Tether’s USDT stablecoin was found by blockchain forensics firm AMLBot.
-
Tether blacklists addresses connected to illegal activity, freezing the wallets from moving assets issued by the company.
-
As a result of the freeze delay, AMLBot’s report claims, malicious actors got away with more than $78 million on Ethereum and Tron since 2017.
There is “significant lag” between exchanges saying they’re going to freeze USDT held by malicious addresses and, well, actually doing it, according to a new report from AMLBot.
AMLBot’s report found that on-chain freezing enforcement of Tether’s USDT stablecoin has been sluggish. As a result, the anti-money laundering firm said, at least $78 million has been lost to bad actors on Ethereum and Tron since 2017.
The “laundering loophole” is the result of Tether’s multi-signature contract set up, AMLBot explained in the report.
First, a freeze request is sent on-chain which requires multiple signatures to approve before the freeze can be executed. As a result, a “window of opportunity” is created allowing illicit actors to move funds before their address is frozen.
One example provided in the report showcases a 44 minute delay between the freeze request and confirmation on Tron.
AMLBot claims that $49.6 million has been withdrawn by bad actors on the Tron network since 2017 as a result of the vulnerability. Wallets were able to make up to three transactions during the delay window with 4.88% of blacklisted wallets exploiting the lag on the network.
Meanwhile on Ethereum, the firm found $28.5 million USDT withdrawn within the same timeframe. Totalling $78.1 million across the two chains.
Security firm PeckShield reviewed the report and confirmed that the loophole exists.
“It does not necessarily indicate a problem with the contract itself. Rather, it is an operational issue that creates a time window between when the blacklist transaction is submitted and when it is executed,” a PeckShield spokesperson told Decrypt. “Given the security-sensitive nature of the issue, improvements are definitely necessary.”
Tether is the issuer of the largest stablecoin in crypto USDT, which aims to peg its price to the U.S. dollar. The company blacklists addresses from trading their products if they’re connected to illegal activity, such as wallets linked to the $1.4 billion Bybit hack earlier this year.
Being blacklisted means the address can no longer move Tether issued assets, effectively making the tokens worthless.
However, AMLBot believes malicious actors know of the aforementioned lag and are creating tools to exploit it.
“Tools can be programmed to monitor the blockchain for specific contract interactions, such as submitTransaction() calls linked to freeze requests,” Slava Demchuk, CEO of AMLBot, told Decrypt. “The bots can alert wallet owners the moment a freeze is initiated but before it’s enforced. Given the delay introduced by Tether’s multi-signature process, this provides a narrow but critical window for illicit actors to quickly move funds.”
“While we haven’t directly observed the bots themselves, the on-chain behavior strongly suggests such automation is in play,” he added.
PeckShield warned that the lag is inherent to how multi-sig accounts are designed to function. Simply, it takes time to have multiple people sign a transaction despite it being required in some cases to boost security. The firm suggested that Tether could bundle together the freeze request with the signatures into one transaction to eliminate the window.
Tether did not respond to Decrypt’s request for comment in time for publication, this article will be updated once received.