Bitfinex Unus Sed LEO Smart Contract Audit Reveals Nasty Surprises for Holders

According to a recent audit by security researchers at Cointelligence, the smart contract for Unus Sed LEO is hiding some nasty secrets that might cause investors to think twice before purchasing or even holding LEO tokens. After deploying a test copy of the LEO token contract code on the Ropsten testnet, the security researcher was able to fully test its functionality, and uncover hidden features that could allow iFinex to do practically do whatever they want with the LEO token.

iFinex Can Delete Your Funds

Among the major findings in the report is the fact that the smart controller can be modified at any time, essentially allowing iFinex to change the account that controls the smart contract by calling to the “generateTokens” function found on line 460. By doing this, iFinex will be able to modify the _owner and _amount parameters, which will potentially allow it to print as many tokens as it wants, and direct these tokens wherever it chooses. Conveniently, the whitepaper doesn’t mention the maximum supply of LEO tokens, indicating that the company may be looking to invoke this feature in the future. Although being able to mint a virtually unlimited number of tokens without warning is already a significant red flag, it is perhaps less concerning than the fact that the smart contract includes provisions to delete anybody’s LEO tokens, no matter where they are held. On line 477 of the smart contract, a call to the “destroyTokens” function can be used to burn LEO tokens by simply choosing an address containing LEO tokens and specifying the number of tokens to delete by modifying the _owner and _amount parameters. to demonstrate this ability, Cointelligence deployed the contract on the Ropsten testnet and successfully deleted ten billion tokens from an address that they did not own. Not only this, but they were also able to mint a practically limitless amount of LEO tokens, demonstrating this by sending almost 1 Undecillion (that’s 1 billion^4) tokens to a testnet address in this transaction.

Absolute Power, Upgradeability, or Both?

Technically, this feature could be used to delete compromised funds, blacklist exchange wallets and essentially wipe out funds from any wallet, regardless of who owns it, giving iFinex absolute centralized control of the movement of LEO. In response to the concerns, Paolo Ardoino, CTO of Bitfinex had the following to say;

For security and future proof reasons we left the ability also to upgrade the Token Contract. That’s really a key feature for a contract that might live lot of years. Minting more tokens would just not make sense for Finex… like shooting our foot.

Although it is clear that the LEO smart contract was designed to be upgradeable, having such a centralized system certainly doesn’t adhere to the spirit of the new decentralized economy. Similarly, we find it hard to imagine why a company would need to include provisions to forcefully delete the holdings of other wallets, if not to use it for censorship or undoing the immutability of transactions. What is your opinion on the Unus Sed LEO Token? Does the recent news alter the long term viability of the project? Let us know your thoughts in the comments!

---