Someone Utilized the ‘Partial Payments Exploit’ In The XRP Ledger And Got Away With 7 Million XRPs From An Exchange

1371
XRP Takes Another Step to Crypto Domination, Bull Run Inbound?
Advertisement
   

The XRP Ledger has a ‘Partial’ Payments Feature/Exploit

This was highlighted by the Bitrue exchange as it explained how a user managed to withdraw 7 million ‘real’ XRP tokens from a Taiwan-based crypto exchange called BitoPro. Some XRP Chat users on Twitter joined Bitrue in expounding on the expose’.

How Did They Do It?

In its explanation, Bitrue mentioned a recently-discovered exploit in the XRP Ledger. Apparently, a user can exploit the flaw in “Partial Payment” to input the wrong parameters and move off free XRP from exchanges. Bitrue explained that instead of using the “amount” parameter when recording payments, exchanges should use “DeliveredAmount” which is the correct parameter.

The said vulnerability allows a user to fake an XRP deposit transaction and then dump the sent “XRP” tokens on the exchange. In this case, the crooked user faked a deposit of 330,000 XRP, but the actual XRP delivered were just 0.003255 XRP. In effect, BitoPro ended up losing 7 million XRP. Bitrue took the step to expose the flaw and let other exchanges and users know about it to save them from further loses.

148 Transactions

According to Bitrue, there have been around 148 such transactions made since March 8. Bitrue also intimated that a user had attempted the same trick on its platform, but the attack was quickly tackled as Bitrue had already instituted measures to prevent it.

XRP Tip Bot Not Vulnerable

While some new exchanges might fail to properly capture and specify transaction parameters, the XRP Tip Bot’s creator, Wietse Wind, doesn’t take such chances. According to a comment by the company contributing on Bitrue’s thread, the XRP Tip Bot doesn’t have that vulnerability.

Advertisement
   

Wietse Wind went on to confirm that some attackers had tried that trick on the tipping bot on Reddit, but they didn’t succeed. Wietse Wind has since contacted all the exchanges targeted via the bot to make sure they’re up-to-date with their security status.


Get Daily Crypto News On Facebook | Twitter | Telegram | Instagram


DISCLAIMER Read More

The views expressed in the article are wholly those of the author and do not represent those of, nor should they be attributed to, ZyCrypto. This article is not meant to give financial advice. Please carry out your own research before investing in any of the various cryptocurrencies available.