(1/2) - 22 February 2020
Although never confirmed by Jed McCaleb, the "tacostand" XRP wallet (rEhKZcz5Ndjm9BzZmmKrtvhXPnSWByssDv) is well-known to belong to him.
A quick look at the wallet and its transactions (https://bithomp.com/explorer/rEhKZcz5Ndjm9BzZmmKrtvhXPnSWByssDv) and you will quickly notice that Mr McCaleb manages his funds following a very strict routine. Every morning at 08:02 UTC, 1.7M XRP are sent to another wallet.
The so-called wallet, activated by Jed, is then "in charge" of selling the XRP. A rigorous routine is also in place. Wait 09:00 UTC and you will see on the ledger the first "create offer". Offer that is usually selling 1M XRP for USD Bitstamp (IOU).
Keep an eye on the XRP:USD.Bitstamp orderbook and you will see that the order is algorithmically managed. The price (exchange rate) of the limit order is, if needed, constantly adjusted. As an example, last Thursday (2020-02-20), the limit order was canceled and re placed 13 times.
Jed aims to sell the XRP. The more the offer is at the edge of / at a competitive price on the orderbook, the more chance it has to be filled.
However, this Saturday morning, 22 February 2020, Jed's automated bot sold 1.7M XRP for ... $188,456 USD, meaning that it sold at an approximate XRP:USD price of ... 0.11 USD. The price this Saturday morning being around 0.271 USD.
The candle below highlights the magnitude of the slippage.
Details of the transactions:
A trade has two participants, a buyer and a seller. Selling at a discount of 0.59% means that an individual (or group of individuals) made approx 270,000 USD of profit this morning. Luck or Jed's bot generosity is not, as you guess, the explanation of the dramatic event.
The attacker (https://bithomp.com/explorer/raBmhBNmYFGe5hJ5Gez2MbpNspewctCAGv) has been preparing his/her/their coup de grâce. Although only successul today, the attacker has been groping for the flaw. Transaction activities of the wallet indicate that the wallet has been active on the XRP:USD.Bitstamp trading pair for at least two months.
The wallet sold this morning around 1M XRP, cleaning all the liquidity / depth of the bids of the orderbook, then placed the first killing order (1) that Jed's bot decide to take, then the second killing order (2). Jed's bot also hit the bid for the latter.
The attacker does not act alone. Sub-wallets 1 (https://bithomp.com/explorer/rHjzw8L2ZBNhLfWw3yv8AY1hf1QYnRMriR) and 2 (https://bithomp.com/explorer/r9ujfsgebDGPEoQP7WFYcVrhEKQZPKVGd7), activated by the one mentionned above, looked like to have specific roles. Mostly create counter orders, allowing front running kind of strategy.
To be continued...
Many interesting unanswered questions:
- What was the specific technical flaw the attacker took advantage of?
- What is the profitability of the attack? (taking into account potential front running costs - previous tests / iterations before finding the flaw)
- Will the attack repeat itself tomorrow? / Had Jed noticed the event?
(2/2) - 25 February 2020
Yes. As you can see below, the attack was repeated every day since the first successful attempt.
More active market participants during the week than the weekend has probably a positive impact (less slippage) on Jed's bot loss, although today's data indicate that the attacker had a +10% discount on the XRP bought.
When yesterday, on Monday February 24th, many bids populated the orderbook, therefore reducing the potential slippage and the arbitrage gain, the attacker does not seem to be discouraged. The malicious wallet even sent few payments with some interesting memo (here below) to push for more cooperation...
Cooperation that was indeed tried, successfully or not, in the past. Look at the memo below regarding a payment sent early January.
A payment got some echo (payback, as a sign of approval for cooperation?) on at least one receiver. Please note that the client description below recalls some other events (https://email@example.com/hi-renier-8f887aee027b).
John Nash would have been proud. Even in a decentralised exchange the concept of game theory can stand. Memo can support text messages, allowing market participants to communicate with each other and therefore, look at decision not in isolation but as being part of different interactions.
As regards Jed's bot flaw, it seems that the algorithm takes decisions based on:
the distance to the best ask: replacing the order to make sure that it is at the edge of the ask side
the bid ask spread
the volume depth of the bids: Jed's bot hits the attacker bids (in all examples), meaning that Jed's bot decides to hit the bid if the slippage is not too important and if a tight spread (mentionned above) is true
Note that the above are assumptions and educated guesses. Digging into the transactions is probably the best way to know more about it.
I am quite surprised that (my assumption) there is no outside / off ledger element Jed's bot relies on. For instance, the XRP:USD spot price of another (liquid) market, making sure that the decision to place an order on the ledger at x price is not irrational compare to the latter. The best for that being probably the BitMex XRP:USD spot index (https://www.bitmex.com/app/index/.BXRP).