Malicious actors have been taking advantage of the XRP Ledger’s partial payment feature to extract millions of dollars worth of XRP from institutions, mainly exchanges.
Partial Payment Feature
The XRP Ledger is a decentralized cryptographic ledger supporting many payment types, one of which is the partial payment.
In the default case, the amount field of a Payment transaction in the XRP Ledger specifies the exact amount to deliver, after charging for exchange rates and transfer fees. A “Partial Payment” allows a payment to succeed by reducing the amount received instead of increasing the amount sent. Partial payments are useful for returning payments without incurring additional costs to oneself.
If a financial institution’s integration with the XRP Ledger assumes that the amount field of a Payment is always the full amount delivered, malicious actors may be able to exploit that assumption to steal money from the institution. This exploit can be used against gateways, exchanges, or merchants as long as those institutions’ software does not process partial payments correctly.
Exploit Scenario Steps
To exploit a vulnerable financial institution, a malicious actor does something like this:
- The malicious actor sends a Payment transaction to the institution. This transaction has a large amount field and has the tfPartialPayment flag enabled.
- The partial payment succeeds but actually delivers a very small amount of the currency specified.
- The vulnerable institution reads the transaction’s amount field without looking at the flags field or delivered amount metadata field.
- The vulnerable institution credits the malicious actor in an external system, such as the institution’s own ledger, for the full amount, despite only receiving a much smaller delivered amount in the XRP Ledger.
- The malicious actor withdraws as much of the balance as possible to another system before the vulnerable institution notices the discrepancy.
- Malicious actors usually prefer to convert the balance to another crypto-currency such as Bitcoin, because blockchain transactions are usually irreversible. With a withdrawal to a fiat currency system, the financial institution may be able to reverse or cancel the transaction several days after it initially executes.
- In the case of an exchange, the malicious actor can also withdraw an XRP balance directly back into the XRP Ledger.
Despite the clear step-by-step guide on listing XRP that includes a warning on the partial payment exploit, exchanges keep repeating the same mistakes, resulting in more exchanges being attacked.
Xplorer.com, a tool dedicated to preventing and combating fraudulent activity on the XRPL, has been actively monitoring such attacks, intercepting three such attacks within a month.
Despite the efforts of xrplorer and its CEO and founder Thomas Silkjær, another exchange wallet was emptied of its XRP this week.
Typically, newly launched exchanges or exchanges that list XRP for the first time neglect to set the option to read the “delivered amount” instead of the “amount”. One such simple error can lead to the theft of large amounts of XRP.
According to Bitrue’s research, in two months alone in 2019, 69 institutions were affected, with the most affected being BitoPro, losing 7,000,000 XRP in May 2019. After listing XRP without setting the correct parameters, Beaxy exchange lost 44 BC and 111,000 XRP in August 2019.
In the month of June thus far the following addresses have been sending out partial payments to exchanges and other institutions:
rBaQeV3A3iwQEKy3LJ7sZ7neGYc1vQFEBk: 4 partial payments
rp1exkw6upyaEi6pZzFTtSZacojhFjk2fD: 3 partial payments
rEvGGNnTJ5FS2iPNBk8VjiiAtJgYYV4s8s: 235 partial payments
rLttJ433vtcuwSn6TEUwE16h4vanvBjFSM: 156 partial payments
This does not mean these payments are successful. However, when multiple such payments get sent out to the same institution it usually means that the sender has located the vulnerability and is taking advantage of it. It is impossible to check through the XRPL if the exchange is indeed reading the wrong field.
With hundreds of institutions receiving partial payments in June thus far, the following received multiple partial payments, resembling an attack:
Lbank: 10 partial payments totaling 60,400 XRP
EliteX: 7 partial payments totaling 42,100 XRP
DOBI: 7 partial payments totaling 40,200 XRP
AAX: 5 partial payments totaling 30,200 XRP
Bitsdaq: 5 partial payments totaling 500 XRP
Unknown institution: 34 partial payments totaling 250,000,000 XRP
Coinbreze: 4 partial payments totaling 20,200 XRP
Coinbig: 5 partial payments totaling 200,150 XRP
Bitsten: 20 partial payments totaling 46,204 XRP
While this does not mean these exact funds were stolen from these institutions, there is a high probability an attempt was made. The only one that can confirm the attack are these institutions.
What can be done?
Using the delivered amount field when processing incoming transactions is enough to avoid this exploit. However, additional measures are suggested like:
- Additional sanity checks to the institution’s business logic for processing withdrawals. Institutions should never process a withdrawal if the total balance they hold in the XRP Ledger does not match their expected assets and obligations.
- Following “Know Your Customer” guidelines and verifying customers’ identities. This way, institutions may be able to recognize and block malicious users in advance or pursue legal action against a malicious actor who exploits their system.
- Institutions listing XRP should create the following accounts: A cold wallet to securely hold the majority of XRP and customers’ funds and one or more hot wallets to conduct the day-to-day business of managing customers’ XRP withdrawals and deposits
XRParcade has been actively monitoring and covering any new XRP listings. In an attempt to raise awareness, we will also be notifying exchanges of the potential danger a simple error on their behalf can lead to.