Warning: Soarcoin (SOAR) has a backdoor

Posted: 8 June 2018 4:35 pm
blockchain technology small

A sufficiently small and obscure project can just stick a backdoor right in plain sight.

A little-known partnership between little-known partners Australian-based Byte Power Group and Singapore-based Soar Labs (SOAR) went south around the start of the year.

Soar acquired a 49% stake of Byte Power, paying for it with $100,000 cash and $5 million of SoarCoin. But soon after that it accused Byte Power of selling the coins at an unsustainable rate to pay back its outstanding debts, causing prices to drop.

"In the interest of market protection of SOAR, any and all SOAR token holders and overall integrity of SOAR, this constitutes reckless and negligent actions ... and constitutes breach of agreement," Soar Labs wrote in its complaint.

It then used an existing backdoor to yank the coins back out of Byte Power wallets.

One thing led to another

One thing led to another, and there was some legal complaining and injunctions and stuff.

More interestingly, Information Security Media Group (ISMG) decided to go looking for the backdoor. They called up cybersecurity guy Nicolas Weaver and asked him to help them find it.

He browsed the coin's codebase for about 2 minutes while on the phone, before finding a zero-fee transaction function that can only be called by the owner of the Ethereum (SOAR is an Ethereum coin) smart contract.

"If I'm the account owner, I can call that function and transfer a balance from anybody to anybody," Weaver said. "It's best described as a backdoor hiding in plain sight."

When asked for a comment on the backdoor, Soar CEO Seth Lim maintained that it wasn't a backdoor, it wasn't hidden and that Byte Power should have checked the code first and backed out of the sale if they didn't like it.

Soar Labs CTO and co-founder, Neo Wenyuan said that the backdoor is only used very rarely in exceptional circumstances.

"We wish to reiterate that the zero-fee transaction function is used sparingly and only in exceptional circumstances," he said. "For example, we recently assisted a cryptocurrency exchange to recover Soarcoin which a threat actor had attempted to siphon away following a malicious attack on the master node of the exchange."

This naturally opens up a range of unpleasant possibilities.

The main one is naturally that the Soarcoin team can take any coins from anywhere at any time, and has used that power before. Beyond that, it introduces a single point of failure in the coin. Anyone who can get at the private key which identifies the owner of the Soarcoin smart contract can get every coin in existence.

It's both a blessing and a curse that Soarcoin is so obscure. On the one hand it means few people are going to be affected by the backdoor, which might be a big enough deal breaker to send SOAR to zero. On the other hand, a better known project could have been better-vetted, and wouldn't have been able to get away with hiding a backdoor in plain sight.

It's happened before, such as with the Bitcoin Gold wallet scam, but that backdoor needed to be very carefully and cleverly hidden because there were so many eyes on the project.

Functionally Soarcoin looks like its just a straightforward Ethereum-based payment token, simply designed to be transferred between wallets. A disappointed SOAR owner looking for a similar project might be interested in the functionally equivalent UET ecosystem.

Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, NANO

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site