In brief

  • Users discovered a Filecoin exploit that allowed funds to be deposited more than once on Binance.
  • It’s not technically a “double spend,” since the transaction only happened once on the Filecoin blockchain.
  • Filecoin and Binance are saying it’s not a bug—just an “incorrect use” of APIs.

On Thursday, Coindesk reported on an exploit that allowed $4.6 million in Filecoin tokens to be deposited more than once on Binance. In emails to Decrypt, Filecoin and Binance are chalking it up to an “incorrect use” of APIs, as opposed to a bug.

The issue resembled a “double spend”—a system-breaking defect, usually brought on by an attack on a blockchain, that allows the same cryptocurrency to be spent twice. Filecoin is a token that helps enable a decentralized storage network.

The proof-of-work consensus mechanism that backs Bitcoin and other cryptocurrencies is meant to prevent double spends. But the transaction in question only happened once on the Filecoin blockchain, even though the exchange mistakenly accepted the transaction twice; the result was more like a “double deposit” than a double spend.


A blog post from Protocol Labs, the team behind Filecoin, says that an investigation “found no issues with the Filecoin network or the RPC [remote procedure call] API code.” And in a statement to Decrypt, a spokesperson for Protocol Labs said: “We are confident that there is no double-spend on the blockchain itself.”

Binance told Decrypt that deposits of FIL, Filecoin’s token, were halted yesterday in the wake of the double deposit. “The issue was caused by the incorrect use of the Lotus [Filecoin’s software suite] API logic and its integration in transferring and depositing into the Filecoin Network,” said a spokesperson. An API, short for application programming interface, is a way for software to talk to other software.

According to the Binance spokesperson, there was no loss of funds. They referred Decrypt to Filecoin’s incident report. 

Stay on top of crypto news, get daily updates in your inbox.