Warning: Soarcoin (SOAR) has a backdoor

A sufficiently small and obscure project can just stick a backdoor right in plain sight.

A little-known partnership between little-known partners Australian-based Byte Power Group and Singapore-based Soar Labs (SOAR) went south around the start of the year.

Soar acquired a 49% stake of Byte Power, paying for it with $100,000 cash and $5 million of SoarCoin. But soon after that it accused Byte Power of selling the coins at an unsustainable rate to pay back its outstanding debts, causing prices to drop.

"In the interest of market protection of SOAR, any and all SOAR token holders and overall integrity of SOAR, this constitutes reckless and negligent actions ... and constitutes breach of agreement," Soar Labs wrote in its complaint.

It then used an existing backdoor to yank the coins back out of Byte Power wallets.

One thing led to another

One thing led to another, and there was some legal complaining and injunctions and stuff.

More interestingly, Information Security Media Group (ISMG) decided to go looking for the backdoor. They called up cybersecurity guy Nicolas Weaver and asked him to help them find it.

He browsed the coin's codebase for about 2 minutes while on the phone, before finding a zero-fee transaction function that can only be called by the owner of the Ethereum (SOAR is an Ethereum coin) smart contract.

"If I'm the account owner, I can call that function and transfer a balance from anybody to anybody," Weaver said. "It's best described as a backdoor hiding in plain sight."

When asked for a comment on the backdoor, Soar CEO Seth Lim maintained that it wasn't a backdoor, it wasn't hidden and that Byte Power should have checked the code first and backed out of the sale if they didn't like it.

Soar Labs CTO and co-founder, Neo Wenyuan said that the backdoor is only used very rarely in exceptional circumstances.

"We wish to reiterate that the zero-fee transaction function is used sparingly and only in exceptional circumstances," he said. "For example, we recently assisted a cryptocurrency exchange to recover Soarcoin which a threat actor had attempted to siphon away following a malicious attack on the master node of the exchange."

This naturally opens up a range of unpleasant possibilities.

The main one is naturally that the Soarcoin team can take any coins from anywhere at any time, and has used that power before. Beyond that, it introduces a single point of failure in the coin. Anyone who can get at the private key which identifies the owner of the Soarcoin smart contract can get every coin in existence.

It's both a blessing and a curse that Soarcoin is so obscure. On the one hand it means few people are going to be affected by the backdoor, which might be a big enough deal breaker to send SOAR to zero. On the other hand, a better known project could have been better-vetted, and wouldn't have been able to get away with hiding a backdoor in plain sight.

It's happened before, such as with the Bitcoin Gold wallet scam, but that backdoor needed to be very carefully and cleverly hidden because there were so many eyes on the project.

Functionally Soarcoin looks like its just a straightforward Ethereum-based payment token, simply designed to be transferred between wallets. A disappointed SOAR owner looking for a similar project might be interested in the functionally equivalent UET ecosystem.

Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, XRB

Picture: Shutterstock