Exchange wallets are losing millions in XRP to malicious attacks

  • According to a report, several exchanges fell victim to a hack because they incorrectly implemented the payment method “partial payment” of the XRP ledger.
  • The Xrplorer tool reports that it successfully stopped three attacks by malicious actors targeting exchanges in June.

Crypto exchange platforms, merchants and gateways are vulnerable to malicious attacks. This is because the XRPL cannot be configured if it is integrated with the exchange platform or one of the other institutions. In fact, it is a recurring bug that has allowed malicious actors to empty wallets with XRP from a platform or a merchant.

According to the tool used to prevent and stop this type of attack, Xrplorer, it only successfully stopped on June 3rd. On their Twitter account, the tool advised exchanges to check their settings. Xrplorer claims that malicious actors are constantly looking for platforms that allow them to use the installment feature.

As mentioned, this function is part of the XRP ledger and is one of the payment methods that enable XRPL. The installment feature allows a sent transaction to deduct the recipient’s transfer fee. In this way, for a return or a payment by a user, the transaction fee can be charged to the recipient and the sending user does not incur any additional costs. According to the XRPL GitHub page:

The XRP amount used for transaction costs is always deducted from the sender’s account regardless of the type of transaction. Partial payments can be used to take advantage of naive integrations with the XRP ledger to steal money from exchanges and gateways.

How Can Exchanges Avoid Stealing Their XRPs?

There are clear attack scenarios that the XRPL development team has identified. On exchanges, a malicious attack that exploits the partial payment vulnerability usually begins with a transaction that the platform receives. This transaction is usually large and has installment notification enabled.

The transaction is accepted, but the exchange receives a small amount in the specified currency. The platform reads the transaction, but only sees the field in which the initial amount, the large sum of the specified currency or the metadata field is supplied. The compromised institution credits the malicious actor with the initial amount on an external system, even though it received a much smaller amount on the XRPL.

In the case of gateways, the malicious actors will look for a way to exchange the stolen funds into Bitcoin (BTC), Ethereum (ETH) or a cryptocurrency on a blockchain, as the transactions are irreversible after confirmation. For exchanges, attackers could withdraw the funds directly in XRP to the XRP ledger.

It is recommended that institutions use the Delivered_amount field to process their transactions. According to the XRP Ledger, this should be enough to circumvent the vulnerability. With this in mind, Xrplorer’s CEO Thomas Silkjaer also recommends the following:

Exchanges: Don’t go live with your XRP implementation until you’ve tested it. There is a big warning at the very beginning of the tutorial “List XRP as Exchange” on and yet I shrugged when I watched an unidentified exchange emptied today.

We intercepted 3 successful partial payment exploit attacks within one month, which were recorded by our systems in real time. Exchanges, please check your implementations. There are bad actors who constantly test for vulnerabilities!

– (@xrplorer) June 21, 2020

Comments are closed.