Exclusive: Aussie Firm Loses $6.6M to Backdoored Cryptocurrency'Soarcoin' Cryptocurrency Coded With Backdoor Hidden in Plain Sight
Australian police in Queensland are pursuing a criminal investigation into what may be one of the first instances of a company swiping cryptocurrency using a software backdoor after a business deal went bad.
See Also: Top 50 Security Threats
Some elements of the conflict between Byte Power Party Ltd. of Newstead, Queensland, and Soar Labs of Singapore are public, but the full scope of what happened between the two hasn't been revealed until now.
Although the two companies resolved their differences outside of court last week, experts say the case, involving US$6.6 million worth of cryptocurrency, highlights many of the risks around using cryptocurrency, an emerging market area that is rife with scams, but has little regulation.
"Any organization involved in trading cryptocurrency should obviously hire professional consultants to handle the transaction, just as they would if they were being paid millions in $20 bills," says Jake Williams, founder of Rendition Infosec, a security consultancy based in Augusta, Georgia.
The tale began to unwind on Friday when a detective chief constable with Queensland's Financial and Cyber Crime Group revealed a criminal investigation at the AusCERT computer security conference. He declined to name the parties involved, but said the situation showed the risks of transacting business deals in cryptocurrency.
ISMG contacted several information security experts in an attempt to identify the parties involved and the cryptocurrency. Williams found a business deal between Byte Power Group and Soar Labs. Soon, a picture emerged, which Queensland Police confirmed on Tuesday.
To get to the core of what happened, some background is required. Since bitcoin launched in 2009, the cryptocurrency space has rapidly expanded, and there are at least 2,000 projects centered around virtual tokens or currencies. The projects all use blockchains, or distributed digital ledgers, to keep track of account balances.
But despite enthusiasm for blockchain-based projects, the market space has been notorious for scams. And regulators around the world are looking closely at so-called initial coin offerings, or ICOs.
There have been hundreds of ICOs in which a group or company launches a blockchain project and begins generating tokens. The tokens are often offered for private sale before being offered publicly. Some critics have likened tokens or cryptocurrency issuance to printing money.
The U.S. Securities and Exchange Commission has imparted guidance on whether tokens constitute a security and should be covered by existing investment laws, including full disclosure of the risks and transparent financial disclosures by companies. But it's a fuzzy, evolving area.
The fear is that investors, lured by white papers and well-designed websites, may buy tokens or cryptocurrencies without fully knowing the risks and sometimes flimsy business cases behind them.
Deal Goes Sour
In July 2017, Soar Labs became one of the many companies issuing its own token, according to its announcement on the bitcointalk.org forum.
Soarcoin is based on Ethereum, a blockchain-based platform that allows for the issuing of virtual tokens and hosting of smart contracts.
About a month before Soar Labs launched its coin, it announced it would acquire a 49 percent stake in Byte Power Party Ltd., a subsidiary of Byte Power Group Ltd. The agreement called for Byte Power Party to set up a cryptocurrency exchange in Australia.
The total value of the stake was $5 million, but most of the transaction was made in Soarcoin. Soar Labs' cash contribution to the deal was just US$100,000. The remaining balance was paid in 306 million Soarcoins, which at the time were valued at US$.016 each.
But the deal soured in January.
Coins: Suspended Or Stolen?
A series of public filings by Byte Power Group with the Australian Securities Exchange, or ASX, has shed light on the conflict.
Byte Power Group told the ASX on Jan. 4 that 179.2 million Soarcoins held by its subsidiary and another 34.6 million held by its CEO, Alvin Phua, had been "temporarily suspended."
Two days prior, Soar Labs had accused Byte Power Group of not selling its Soarcoin at "manageable levels" and using the proceeds to settle debts, including back-dated salary to directors.
"In the interest of market protection of SOAR, any and all SOAR token holders and overall integrity of SOAR, this constitutes reckless and negligent actions ... and constitutes breach of agreement," according to a letter.
Because new virtual currencies are thinly traded, someone opting to sell a large number of coins could cause the price to nosedive.
On Feb. 12, Byte Power Group told the ASX that the Soarcoins were withdrawn from its e-wallets on Jan. 1. The number of Soarcoins withdrawn by Soar Labs was around 214 million, worth about US$6.6 million that day, according to the price on CoinMarketCap.
Byte Power Group eventually petitioned Singapore's High Court, which ordered an injunction in early February against Soar Labs. The injunction froze specific bank accounts and electronic wallets.
Backdoor Found In Two Minutes
One disadvantage of using virtual currencies is that transactions are irreversible. If a bitcoin is sent from one address to another, it can't be recovered unless the recipient chooses to return it.
So how did Soar Labs reclaim its coins? Queensland Police described the problem as a backdoor within the coin's code, which was confirmed during a forensic analysis by a German company.
A Byte Power Group representative said on Tuesday that the company could not provide details beyond the information it provided to the ASX.
But the representative did say that "the way in which the smart contracts were written allowed them [Soar Labs] to remove the coins, which the company itself wasn't aware of at the time until the coins were actually taken."
On Tuesday, ISMG contacted Nicholas Weaver, a researcher with the International Computer Science Institute and a lecturer at the University of California at Berkeley. Weaver has studied virtual currencies and their surrounding ecosystems since 2013.
While on the phone with ISMG, Weaver browsed Soarcoin's code. Within about two minutes, he found a zero-fee transaction function that can only be called by the owner of the Ethereum smart contract, which in this case would be Soar Labs.
"If I'm the account owner, I can call that function and transfer a balance from anybody to anybody," Weaver says. "It's best described as a backdoor hiding in plain sight."
Weaver says that Soar Labs could do what it did to Byte Power Party to anyone else holding Soarcoin. "The code says the owner of the contract can rewrite the balances at will," he says.
Soar Labs: Not A Backdoor
A key question that remains unanswered is why it appears Soar Labs did not directly tell Byte Power Party that the coin's code contained a backdoor.
Soar Labs' CEO Seth Lim tells ISMG that the issue found by Weaver isn't hidden. The code is open for anyone to see, he says.
"It's about trust in the ecosystem," Lim says.
When asked why Soar Labs didn't inform Byte Power Party, Lim indicated the company should have looked at the code.
But another key question is what risks the backdoor poses now to anyone who hold Soarcoin.
There are risks aside from Soar Labs' suddenly pulling back coins. Soar Labs has the private key that authenticates itself as the owner of the smart contract for Soarcoin. If a hacker steals the key, the coins could be moved around by calling on the zero-fee function.
Soar Labs CTO and co-founder, Neo Wenyuan, says in an email that the company does not consider the zero-fee transaction function to be a backdoor and does not intend to use it to disrupt the market.
"The zero-fee transaction function, which is visible in the public source code, was developed for the purpose of airdrops, monitoring transactions as the developer of Soarcoin and future development activities such as payment interface with online apps," Wenyuan writes.
Wenyuan writes that he could not comment on what happened with Byte Power Party. But he says Soar Labs did invoke the powerful function in another situation.
"We wish to reiterate that the zero-fee transaction function is used sparingly and only in exceptional circumstances," he writes. "For example, we recently assisted a cryptocurrency exchange to recover Soarcoin which a threat actor had attempted to siphon away following a malicious attack on the master node of the exchange."
Wenyuan further writes that Soar Labs is "open to considering the removal of the zero-free transaction in the future, if there is no longer a need for such a function when Soarcoin eventually matures into a self-sustaining and self-regulating market."
Audit, Audit, Audit
Weaver says the Soar Labs situation points to a broader problem in the virtual currency community: Just because a coin's code may be public or open source, that doesn't mean it's free of problems.
"A lot of people don't understand that," Weaver says. "This is the problem of this whole model of 'Oh, transparency means you trust the system' and all sorts of garbage. It is just simply not true."
It's also very difficult to find backdoors in code. Weaver found Soarcoin's problem quickly, but he's a computer scientist who knows where to look. Soarcoin's issue also wasn't hidden very well. Tampering with, say, random number generators, makes it more difficult to spot something subversive.
"It would be very difficult to find a backdoor in cryptocurrency code," says Williams of Rendition Infosec. "Auditing this requires both a security and an advanced mathematics background, a combination of things that most people simply don't possess."
Last week, Byte Power Group said it had reached a settlement with Soar Labs.
Under the terms, Soar Labs will transfer its 49 percent stake in Byte Power Party to Byte Power Group. It will also pay US$1.7 million and transfer 5 million Soarcoins to Byte Party Group, Byte Power Party and its CEO Alvin Phua.
A single Soarcoin was worth US$.023 on Tuesday, roughly 25 percent more than when the two companies signed their deal in June 2017, according to CoinMarketCap.
What remains to be seen is whether Queensland Police will proceed with a criminal investigation, in light of the settlement.
The case is somewhat unorthodox: Soar Labs did hold a 49 percent share of Byte Power Party, posing the question of whether a crime was committed when it withdrew the Soarcoins held by a company it partly owned.
But legal complexities aside, one lesson from the conflict is clear: New cryptocurrencies need to be carefully evaluated, says John Bambenek, a consultant and vice president at the threat intelligence firm ThreatSTOP.
"Moral of the story, stay the hell away from 'new' cryptocurrencies," Bambenek says.