Security reminder: Beware of Filecoin RBF fake recharge attacks

According to the news from SlowMist, Filecoin has a "double-spending transaction" and many exchanges have closed FIL recharge channels. The SlowMist security team analyzed the relevant information and found that this was a Filecoin RBF fake recharge attack rather than a "double-spending attack".

The attacker sends a low gas-feecap transaction in advance, and then replaces the original transaction (RBF transaction) by increasing the gas-premium and gas-feecap. At this time, the RBF transaction is packaged on the chain first, and the old transaction is discarded. However, due to a feature of Filecoin lotus RPC, when querying the execution status of the old transaction (using the lotus state exec-trace command or obtaining it through the REST interface Filecoin.StateGetReceipt), the execution status of the RBF transaction is returned, causing the exchange to record the two transactions repeatedly.

The SlowMist security team reminds exchanges and related wallets that when depositing, they need to compare the cid in the query return result with the cid in the query, and use interfaces such as ChainGetParentMessages and ChainGetParentReceipts to query and compare to avoid duplicate deposits. Unlike the fake deposit attacks previously discovered in the SlowMist area, this attack method is more covert and is caused by the characteristics of the Filecoin node. Exchanges and related wallets should check the deposit and deposit procedures again. In addition to RBF, there are also regular To, Value, transfer type Method, and execution result ExitCode fields. If necessary, you can ask a security audit company to assist in the detection.