- A vulnerability in the XRPL payment method, called Partial Payment, allows malicious actors to steal millions of XRP.
- Xrplorer tool reports that it has successfully stopped three attacks during June from malicious actors targeting exchanges.
Crypto exchange platforms, merchants and gateways are vulnerable to malicious attacks. This occurs due to a failure to configure the XRPL when it is integrated with the exchange platform or one of the other institutions. In fact, it is a recurring error that has allowed malicious actors to empty wallets containing XRP of a platform or trader.
According to the tool dedicated to prevent and stop this kind of attack, Xrplorer, only during June 3 have been successfully stopped. On their Twitter account, the tool advised the exchanges to check their settings. Xrplorer claims that malicious actors are constantly looking for platforms that allow them to take advantage of the Partial Payments feature.
This feature is part of the XRP Ledger, as mentioned, and is one of the payment methods that allow XRPL. The Partial Payment function allows a sent transaction to deduct the recipient’s transfer fee. That way, if a user is making a return or returning a payment, the transaction fee can be charged to the recipient and the sending user does not incur an additional expense. According to the XRPL GitHub page:
The amount of XRP used for the transaction cost is always deducted from the sender’s account, regardless of the type of transaction. Partial payments can be used to exploit naive integrations with the XRP Ledger to steal money from exchanges and gateways.
How can exchanges avoid the theft of their XRP?
There are clear attack scenarios that the XRPL development team has determined. For exchanges, usually a malicious attack that takes advantage of the Partial Payment vulnerability begins with a transaction that the platform receives. This transaction is usually large and has the Partial Payment notification enabled.
The transaction is accepted but the exchange receives a low amount of the specified currency. The platform reads the transaction, but only sees the field where the initial amount, the large sum of the specified currency, or the metadata field called the delivered_amount is indicated. The compromised institution proceeds to credit the malicious actor with the initial amount on an external system, despite having received a much smaller sum on the XRPL.
In the case of gateways, the malicious actors will look for a means to change the stolen funds to Bitcoin (BTC), Ethereum (ETH) or a cryptocurrency in a blockchain because the transactions are irreversible upon confirmation. For exchanges, attackers could withdraw the funds directly in XRP to the XRP Ledger.
It is recommended that institutions use the delivered_amount field to process their transactions. This should be sufficient, according to the XRP Ledger page, to avoid the vulnerability. In that sense, Xrplorer’s CEO, Thomas Silkjaer, also recommends the following:
Exchanges: Don’t go live with your XRP implementation, before you have tested it. A big warning is at the very beginning of the “List XRP as an Exchange” tutorial on http://xrpl.org and yet I have cringed while watching an unidentified exchange was emptied today.