Tether’s Unfair Contract
Any contract that is published on Ethereum is publicly available on Etherscan and you can see exactly what its doing ‘under the hood’. Tether’s USD-pegged stable-coin has become the 3rd largest cryptocurrency on the planet. As a security analyst, I thought I would look at Tether’s ERC20 smart contract which holds together a 16 billion dollar market… And what I found was quite fishy. This has got to be one of the least fair contracts I have ever read, the smart aspect just makes things worse.
Did you know that each time Tether is traded a small fee is charged, and that they can just change the fees and terms of their contract at any time???
I didn’t know what fees I was paying, but their contracts made me pay these fees anyway. The Tether contract is of type “Ownable” and the owner, Tether, collects a percentage of tens of billions of dollars in daily volume. This fee is collected each and every time coin is transferred, so what does that part of the smart contract look like?
The fee is calculated on lines 127–129, and then on line 135 this fee is collected by Tether. To “ensure transparency” there is a hardcoded limit to how high these fees can be, which is shown below:
On line 430 above, there is a misleading comment:
// Ensure transparency by hardcoding limit beyond which fees can never be added
If a hard-coded limit was in fact intended to ensure transparency, then it is being completely and totally undermined, because on line 343 any hardcoded limits can be removed by updating contract. Only one party, Tether, can update this contract, allowing them to dictate the new terms with a new implementation of transfer(), the public interface of the contract is shown below:
On line 342, there is an override that allows the owner to “deprecate” the current contract and replace it completely with something called a UpgradeStandardToken a new token transfer interface that uses a newly defined transferByLegacy() instead of the agreed upon transfer() method found in the contract. When performing a source code review you want to understand the mentality of the author. Why would the author leave a code comment telling us to “ensure transparency” when the author knows that this hardcoded check can be replaced at any time?
Tether is the only one that control who has access to their coin and can change the fees collected by transfer() at any time. Due to the entomology of the word “blacklist” its use has become frowned upon, and denylist is becoming more generally acceptable. The meaning of denylist is self-evident, it has a clear purpose without any prior explanation, as it doesn’t rely on an archaic analogy. In the context of this contract, the funds that Tether denies access to becomes another revenue source. Tether has used this feature to freeze tens of millions of dollars in assets, which are accounts that take deposits but can never withdrawn into USD — so frozen accounts become profit for the owner. The optics of this contract are quite poor, seeing as the owner has full control over the contract really Tether is a centralized token... with extra steps. Tether even reserves the right to halt all trading. The whenNotPaused decorator used on line 340 in the code above means that Tether is a freezable token — and that the owner has the keys. No one can shutdown Bitcoin or Ethereum, and that is by intention. One person can decide to shut down all of Tether, and Tether reserves this right in their contract. If Tether decides to halt trading then you can’t get your funds back — I for one, do not agree to any of this.
Having an owner-controlled contract upgrade is unusual, and is not seen in other major cryptocurrencies. The ability to change the contract after its deployment is a smart contract backdoor because the terms of the contract can be changed after a user has agreed to deposit funds. Tether’s smart contract retains the rights for the owner to change the terms of the contract at any time without needing to ask the permission of account holders. The vast majority of smart contracts do not allow updates of any kind, however governance tokens is a kind of contract that allows holders of the token to vote on changes. The code comment shown below on line 386 is unassuming, however, the contract deprecate() feature quite literally allows for this contract can be updated in its entirety, the fees and other terms of this contract are subject to change at any time:
If the owner uses deprecate() method shown above they will replace the transfer() method on line 343 with the address of a new function call in a new contract. All Tether USD ever minted is stored in a single contract, and the contract that controls everyone’s accounts can be modified in any way. This feature of the contract means that at any point the owner could set a much higher per-transaction fee, with Tether’s dominate market share users would be forced to pay the higher rates.
We think of software upgrades as being a natural part of life, but this has a very different meaning in the context of a contract where one side has the keys to the kingdom. This is the equivalent of your bank being able to change your monthly payments at will. Would you sign a contract that allowed your employer pay you less without notification? Giving one side absolute control makes the contract unfair. No other major token projects are forcing a contract-upgrade onto their users, and this should not become the norm. There are laws in the US for the maximum amount in interest you can charge for a home loan or a credit card, but I don’t know of any such law for smart contracts. No doubt whoever wrote Tether’s contract will say that contract upgrades are for “security”, but the question is who’s security? This “feature” of the contract gives Tether the “security” of being able to increase the fees by 5,000% or more. I do not agree to these terms, and I’m not sure who would.
Is Tether legally obligated to tell its users of a change to this contract or their fee structure?
Let us know what you think in the comments below!