A “Partial Vulnerability” in XRP Ledger Leaves 7 Million XRP Exposed, As Bitrue Explains the “Bug”

Vulnerabilities leave exchanges open to potential theft and fraud, and Bitrue just found a vulnerability with the XRP Ledger, leading to millions of XRP lost. What happened? How can exchanges keep the same thing from happening again?

• Taiwan exchange loses 7 million XRP, due to improperly processing a partial payment on the XRP Ledger
• Bitrue tweets guidance on correct way to submit partial payments.

Investigating any blockchain-based ledger for potential vulnerabilities is the easiest way for a firm to understand exactly what they need to change, if anything. In a recent investigation by Bitrue, a “partial payment vulnerability” was found in the XRP ledger.

While this sounds like an insignificant finding to some, the bug managed to pave the way for a hacker to use the problem to their advantage.

A tweet by Bitrue explained that BitoPro, an exchange in Taiwan that only just integrated XRP trading, handled a partial payment improperly. In doing so, they left themselves exposed to a hacker, who faked a deposit. The loss for BitoPro was approximately 7 million XRP.

To explain exactly how this impacted users, the exchange used the image below to demonstrate.  In this transaction, a user said that 330,000 XRP was sent, but the actual amount provided was 0.003255 XRP.

In response to this attack, we've created this thread to raise awareness for [XRP Partial Payment Vulnerability] and its risks. We encourage all platforms who support $XRP to look into it thoroughly! @WietseWind @Curis_Wang https://t.co/weCqtxmRLU

— Bitrue (@BitrueOfficial) May 2, 2019

The exchange continued with their example, showing exactly how this mistake can be made by exchanges that have XRP listed on their platform.

In the tweet, the exchange explained that most platforms are unaware that a “partial payment” can exist, so they use the “Amount” parameter to record the payment. Instead, the parameter needs to be “DeliveredAmount.”

4) Because often the exchange (especially the new ones supporting $XRP) wasn't aware of the existence of "partial payment"! Thus using the wrong parameter "Amount' to record the payment. The CORRECT parameter to use is and should always be "DeliveredAmount" ‼️

As illustrated👇 pic.twitter.com/xZstLlYW5J

— Bitrue (@BitrueOfficial) May 2, 2019

For further information, the company tweeted two links that users can follow.

5) Reference:
1. https://t.co/IElcK3HEO8
2. https://t.co/1ujAcBnpsT

— Bitrue (@BitrueOfficial) May 2, 2019

With the BitoPro attack, Bitrue managed to find the address that created the issue, which was activated within their own platform. From March 8^th until now, the company states that 148 have taken place, but the detection system with Bitrue was too advanced to be fooled.

8) Among those 148 attacks, 1 was sent to @BitrueOfficial but failed to fool our detection system👇https://t.co/3IdHaWAy3x

— Bitrue (@BitrueOfficial) May 2, 2019

The creator of the XRP Tip Bot, Wietse Wind, commented on this matter, explaining that the user tested all exchanges, and confirmed that the attacker’s account came from Bitrue.

He/she tested almost all exchanges. Even the TipBot (not vulnerable). The TipBot user was https://t.co/UcaQXPWk2X.

The account used by the attacker to test all exchanges for the Partial Payment exploit was activated by a deposit form @Bitrue. I contacted them and they are on it.

— Wietse Wind { 𝚡𝚛𝚙𝚕𝙳𝚎𝚟: 𝚝𝚛𝚞𝚎 } (@WietseWind) May 2, 2019