Clarification about USDT "vulnerability" and best practices for receiving Omni Layer transactions

[dexx]

Dear Omni Layer integrators,

recently news were published about a potential vulnerability of Tether/USDT, which seemingly allows double spending tokens.

We can ensure you, this isn't the case. There is in no protocol vulnerability, but rather improper handling of incoming token payments.

When retrieving information about Omni Layer transactions via the JSON-RPC API, there is a field indicating the validity of a transaction. An invalid token transaction can have multiple causes, e.g. when the sender crafts a transaction to transfer tokens, even though he or she doesn't have enough balance.

As far as we know, there was an integrator, which hasn't checked the "valid" flag at all, and simply credited the tokens, without confirming they were actually transferred.

The reference client of the Omni Layer, Omni Core, doesn't credit any tokens from invalid transactions, while the JSON-RPC API still provides information about such a transaction, but clearly indicates, whether the transaction is valid.

In such a case the result also has an "invalidreason" field, which provides explicit information about why the transaction is considered invalid, e.g. in case of not enough balance.

To avoid similar cases in the future, we published hints for the integration of Omni Layer tokens:

https://github.com/OmniLayer/omnicore/wiki/Integrate-Omni-Core-to-receive-payments

If you have any questions, please let me know.

- dexx