8 months ago
51 ARTICLE AD
Bitfinex's systems automatically flagged the transaction because it requires a "delivered amount" field, blocking the attempted exploit.
Bitfinex recently faced an attempted exploit, where some $15 billion worth of XRP was at risk of being stolen by an attacker who leveraged a vulnerability in the XRP Ledger network.
Someone attempted to attack @bitfinex via "Partial Payments Exploit".
Attack failed since Bitfinex properly handles 'delivered_amount' data field.https://t.co/EiGw9UQmmq
(updated with better gif) https://t.co/8I7vlO05ou pic.twitter.com/DxOnJLLkhU
— Paolo Ardoino 🍐 (@paoloardoino) January 14, 2024
The incident was initially disclosed by blockchain tracking and research group Whale Alert, which flagged the transaction as unusual, given how it was already nearly half of Ripple’s (XRP) total market capitalization of about $31 billion. Blockchain data indicates that the transfer was worth less than a dollar.
According to Bitfinex CTO Paolo Ardoino, an unidentified threat actor “attempted to attack” the network through a “Partial Payments Exploit” to call a large XRP transfer without authorization.
Partial payments allow transfers to succeed by reducing the received amount. XRP Ledger documents warn that this feature can enable attacks if integrations do not validate delivered amounts.
By exploiting the assumptions of vulnerable systems, attackers can secretly withdraw funds up to the trusted balance before detection. Technically, this is akin to “printing” tokens by crediting crypto without any actual transfer.
The motive behind the attempted exploit remains unclear and is still pending a full investigation by the parties involved.
However, Ardoino reiterates that Bitfinex’s systems automatically flagged the transaction because it requires a “delivered amount” field, effectively blocking out the attempt.
XRP Ledger’s documentation reveals that such an attack vector is already known.
“If a financial institution’s integration with the XRP Ledger assumes that the Amount field of a Payment is always the full amount delivered, malicious actors may be able to exploit that assumption to steal money from the institution,” the documentation details.
The failed exploit attempt incorporated techniques addressed in protocol documentation but did not log any attempts, such as in this particular incident.
In response, organizations such as Bitfinex and other crypto exchanges may need to implement new routines to counter these risks. It is also advisable for infrastructure providers to routinely audit access credentials and enhance validation requirements for privileged information.
Ongoing security threats continue plaguing the crypto ecosystem, highlighting the urgent need for robust protections. Last year alone, over $2 billion was stolen from crypto users through various schemes, demonstrating the incentives and capabilities of bad actors.
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
