ambcrypto.com
Bitrue exchange detailed the XRP Ledger’s “partial payment vulnerability” to its users and other exchanges that support and list XRP. The exchange also mentioned that it was successful in stopping a user abusing the bug on its platform.
A few users on XRP Chat forum highlighted that a user used this “vulnerability” to fake deposit funds and dump those “fake XRPs” on BitPro exchange. A user @Yxxyun commented:
“Taiwan Exchange BitoPro just online XRP trading on their exchange recently, but didn’t handle partial payment correctly, hacker use this feature to fake deposit and then dump the fake XRP, BitoPro’s loss is about 7 million XRP.”
The exchange tweeted:
In response to this attack, we've created this thread to raise awareness for [XRP Partial Payment Vulnerability] and its risks. We encourage all platforms who support $XRP to look into it thoroughly! @WietseWind @Curis_Wang https://t.co/weCqtxmRLU
— Bitrue (@BitrueOfficial) May 2, 2019
The exchange explained “Partial Payment” with the following transaction where the user claimed to send 330,000 XRP but the actual amount delivered was only 0.003255 XRP.
Source: XRPCharts
In addition, the exchange highlighted how new exchanges that list XRP make this mistake. The tweet read:
“Because often the exchange (especially the new ones supporting $XRP) wasn’t aware of the existence of “partial payment”! Thus using the wrong parameter “Amount’ to record the payment. The CORRECT parameter to use is and should always be “DeliveredAmount” ‼️”
Source: XRPCharts
The tweet thread from Bitrue further outlined that a user had tried to exploit the same vulnerability, but the attempt was a failed one, as the exchange had caught it.
6) In the case of BitoPro attack, we identified it was initiated from this address: rERfHy4YmDbKxsuFmzPBhMQCGyFrAGvbra, which was originally activated from our platform. The transaction can be found👇https://t.co/4SnwVd1nJi
— Bitrue (@BitrueOfficial) May 2, 2019
Moreover, the thread listed that since March 08, 2019, over 148 transactions have been made, exploiting this vulnerability.
7) Exchanges or addresses that have been attacked (from March 8 till this moment): A total amount of 148 transactions including the following:
a) pic.twitter.com/Dqy1gSThnS
— Bitrue (@BitrueOfficial) May 2, 2019
Wietse Wind, creator of the famed XRP Tip Bot commented,
“He/she tested almost all exchanges. Even the TipBot (not vulnerable). The TipBot user was https://www.reddit.com/user/9956235689. The account used by the attacker to test all exchanges for the Partial Payment exploit was activated by a deposit form @Bitrue. I contacted them and they are on it.”