The XRP Ledger has a ‘Partial’ Payments Feature/Exploit
This was highlighted by the Bitrue exchange as it explained how a user managed to withdraw 7 million ‘real’ XRP tokens from a Taiwan-based crypto exchange called BitoPro. Some XRP Chat users on Twitter joined Bitrue in expounding on the expose’.
How Did They Do It?
In its explanation, Bitrue mentioned a recently-discovered exploit in the XRP Ledger. Apparently, a user can exploit the flaw in “Partial Payment” to input the wrong parameters and move off free XRP from exchanges. Bitrue explained that instead of using the “amount” parameter when recording payments, exchanges should use “DeliveredAmount” which is the correct parameter.
4) Because often the exchange (especially the new ones supporting $XRP) wasn’t aware of the existence of “partial payment”! Thus using the wrong parameter “Amount’ to record the payment. The CORRECT parameter to use is and should always be “DeliveredAmount” ‼️
As illustrated? pic.twitter.com/xZstLlYW5J
— Bitrue (@BitrueOfficial) May 2, 2019
The said vulnerability allows a user to fake an XRP deposit transaction and then dump the sent “XRP” tokens on the exchange. In this case, the crooked user faked a deposit of 330,000 XRP, but the actual XRP delivered were just 0.003255 XRP. In effect, BitoPro ended up losing 7 million XRP. Bitrue took the step to expose the flaw and let other exchanges and users know about it to save them from further loses.
2) Meanwhile it also indicates that the sender claimed to have sent 330,000 XRP while in reality only 0.003255 XRP was actually delivered. pic.twitter.com/iR14pAIlSo
— Bitrue (@BitrueOfficial) May 2, 2019
148 Transactions
According to Bitrue, there have been around 148 such transactions made since March 8. Bitrue also intimated that a user had attempted the same trick on its platform, but the attack was quickly tackled as Bitrue had already instituted measures to prevent it.
XRP Tip Bot Not Vulnerable
While some new exchanges might fail to properly capture and specify transaction parameters, the XRP Tip Bot’s creator, Wietse Wind, doesn’t take such chances. According to a comment by the company contributing on Bitrue’s thread, the XRP Tip Bot doesn’t have that vulnerability.
Wietse Wind went on to confirm that some attackers had tried that trick on the tipping bot on Reddit, but they didn’t succeed. Wietse Wind has since contacted all the exchanges targeted via the bot to make sure they’re up-to-date with their security status.
