Yes, you read that title correctly.
Earlier today (June 28th, 2018), the private Chinese cybersecurity firm, SlowMist, put up this tweet:
If you can’t read Chinese, here’s the English translation below:
The translation reads,
“The exchange in the USDT recharge transactions to confirm the success of a logical flaw in the transaction details on the block chain valid field value is true, resulting in “pretend value”, the user has not lost any USDT but successfully recharge the exchange USDT, and these USDT can be normal transactions. We have confirmed that the real attack happened! The relevant exchange should suspend USDT recharge function as soon as possible, and self-examination code whether there is this logic flaw.”
The translation is rough because it’s automated, of course (Microsoft), but the gist is that they were able to send USDT to an exchange (not named), without the field values on the transaction being correct — which means that people can be credited for the tokens on the unnamed exchange without having to actually send them.
This, obviously, would lead to a double-spend.