According to the blockchain security firm SlowMist, Filecoin came under attack because of suspected "double spending." A multitude of crypto exchanges now shut down the deposit service for FIL.
After the analysis by SlowMist security team, the attack was caused by the phony deposit of RBF on Filecoin, instead of "double spending." The hacker sent a transaction with a low gas-feecap in advance, and then replaced the original transaction (RBF transaction) by increasing the gas-premium and gas-feecap. At the moment, the RBF transaction was first packaged on the chain, and the old transaction was discarded. However, when querying the execution status of the old transaction (using the lotus state exec-trace command or obtaining it through the REST interface Filecoin.StateGetReceipt), the execution status of the RBF transaction was returned, which made the exchange record the two transactions repeatedly.
The SlowMist security team reminds exchanges and wallets that when depositing and recording transactions, they need to compare the cid in the query return result with the queried cid, and use the ChainGetParentMessages and ChainGetParentReceipts interfaces to perform query comparisons to avoid repeated recording.
Different from the fake deposit attack found by SlowMist before, this attack method is more covert. It is caused by the characteristics of the Filecoin node. Exchanges and wallet should check the deposit procedure again.
Comment 2