Cryptocurrency hacks remain an unchecked plague on the industry, with 160 successful attacks in 2023, netting thieves nearly $1.7 billion in stolen funds. However, January 14 saw cybercriminals fail in their attempt to exploit the Bitfinex exchange via the XRP Ledger’s “partial payments” feature. Regarding the attack, Ripple CTO David Schwartz maintained that the XRP Ledger is not inherently flawed or vulnerable.
Ripple CTO Dismisses Talk of XRP Ledger Vulnerability
Schwartz moved swiftly to shut down rumors in a recent tweet that the XRP Ledger is inherently flawed or that billions in XRP were ever at risk. The Ripple CTO stated that the partial payments “feature is a standard and secure financial tool” and that media coverage of “billions of XRP moved” was misleading sensationalism as the amount transferred amounted to just a few cents.
Schwartz praised Bitfinex for handling the incident appropriately by following Ripple’s guidelines for secure configuration and integration of the partial payments function, thus stopping the attempted exploit from ever occurring. With that, Schwartz reminded institutions that “proper configuration and integration cannot be understated.”
Partial payments are a specialized payment type enabling a flexible payment amount. It allows the transaction sender to send a payment that delivers less than the amount sent, which may be used for returning unwanted payments without incurring additional costs. However, this function can be exploited if an institution’s XRP Ledger integration is not properly configured.
How Hackers Can Exploit Partial Payments
Hackers can exploit an institution’s inappropriately configured XRP Ledger integration by sending a large transaction to the institution with a small partial payment of actual funds. This transaction is confirmed, and the vulnerable institution reads the large transaction without cross-checking the amount received.
Assuming all is well, the institution credits the hacker with the large transaction, even though only a small amount of XRP was received. The hacker can then withdraw the ill-gotten funds to another wallet before noticing the mistake.
While the attacker may have completed a field to send 25 billion XRP to Bitfinex using the partial payment feature, engineer “NIKB” confirmed that the actual partial payment made was $0.001.
