On 11 November 2021, the biggest cryptocurrency exchange Binance reported to its users on the issue related to DOGE network withdrawals that took place the previous day.
After the network update, the previously failed withdrawals got resent. Binance also informed its users that DOGE network withdrawals would be suspended for the next 10-14 days. According to Binance, the issue was attributable to a technical bug and it affected 1,674 users. Namely, withdrawals took place without users’ consent but the exchange required them to return assets they did not actually have. Binance noted that the issue took place only on its platform since the exchange had a different wallet set-up for DOGE.
The incident affected both the users who received old transactions and could not withdraw DOGE and the users whose DOGE were transferred without their consent. From its side, Binance contacted DOGE developers to address technical issues and asked the users who received old transactions to return the assets. The exchange admitted that it failed to deliver technical excellence to users.
The Twitter account representing Dogecoin Developers shared some clarification on the incident. They noted that the previously stuck transactions had been retried automatically on the node restart following the upgrade. According to the DOGE developers, in the previous updates (1.14.3 and before), the fee was too low for the transaction to be completed but in the update released soon before the incident, the fees became valid. Although Binance had contacted DOGE developers one year before the incident took place to work on addressing a similar issue, there are no confirmations of whether Binance followed all recommendations shared.
In total, the crypto exchange sent close to 23K unintended DOGE transactions worth around $150M, and the tokens sent covered around 1.1% of all DOGE supply.
Hacken auditors first filtered out all transactions belonging to a crypto exchange based on wallet addresses. The transaction inputs and signatures were correct and there were neither double-spending nor consensus failures. Also, the transfers were using the most standard way of sending transactions – pay-to-public-key hash. The transactions’ nLockTime and inputs indicate that transactions were created 3 years ago, namely between July 2019 and February 2021. At the time of the incident, all transactions were executed in batches within just 4 hours.
Transaction creation timeline
When transactions started appearing, Dogecoin 1.14.0 was the latest available release version. Hacken specialists checked the mempool by setting up the 1.14.0 version, downloading all blocks till 9th November 2021, and executing some problematic transactions. These transactions were rejected because the fee was lower than the minimum relay fee and, generally, Dogecoin does not allow free transactions by default.
Dogecoin 1.10.0 introduced a new algorithm to calculate the minimum relay fee. Thus, if the transaction volume is <1.0 DOGE, then the additional 1.0 DOGE fee must be paid. The dogecoin maintainers did not change the fee calculation algorithm in the wallet and, thus, the transactions with one of outputs lower than 1 were rejected by the mempool and stayed in the wallet indefinitely. All filtered transactions with too low fees had one or more outputs of less than 1.
However, the version released on 10th November had lower fees and, thus, made valid all transactions that had too low fees in versions 1.10.0 and 1.14.0.
The graph showing that all transactions with a too low fee were executed in November 2021 with min 6-months delay
Namely, these transactions were accepted by the mempool, relayed to other nodes, and then executed.
The financial damage was attributable to the delay in transaction execution. The crypto exchange withdrawal system duplicated transactions assuming they had been rejected. As a result, there were numerous duplicated withdrawals from Binance and users got money they were not eligible for. Hacken auditors created the script allowing us to identify all transactions with too low fees that were executed with a minimum 6 months delay. As a result, we have identified that 1,478,847,165 DOGE were transferred in 23,653 transactions with a total value of $150M.
Example of the address that received his DOGE twice
Although the Dogecoin maintainers were aware of the bug and even fixed it in version 1.14.2, this fix was removed in version 1.14.4.
The incident might have been prevented if the Dogecoin maintainers had used the fuzz tests to catch the issue. Fuzz test provides for injecting invalid, malformed, or unexpected inputs into the system to reveal software defects and vulnerabilities. The purpose of this test is to detect performance or security gaps in the system. Also, the team has not carried out the proper preparation work when implementing fixes.
The key mistake made by Binance was not testing the new release in a closed environment. As a result, the effect of the mistake was immediate and significant. Also, it would be reasonable for Binance and other exchanges to have a system in place that would monitor transactions and stop nodes if something went wrong. The other recommendations for crypto exchanges are the following:
Although users were not responsible for the incident, they should remember the basic activities to be taken upon receiving funds they should not have received:
Overall, the Dogecoin incident is a great demonstration that both crypto exchanges and project developers should not underestimate the importance of system testing prior to its official release. The incident is also a great confirmation that introducing fixes is a complex process during which developers should patiently check every element and try to modulate all critical situations that may arise due to possible system bugs.
Subscribe to our newsletter
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.