Search the Community

(1/2) - 22 February 2020 Although never confirmed by Jed McCaleb, the "tacostand" XRP wallet (rEhKZcz5Ndjm9BzZmmKrtvhXPnSWByssDv) is well-known to belong to him. A quick look at the wallet and its transactions (https://bithomp.com/explorer/rEhKZcz5Ndjm9BzZmmKrtvhXPnSWByssDv) and you will quickly notice that Mr McCaleb manages his funds following a very strict routine. Every morning at 08:02 UTC, 1.7M XRP are sent to another wallet. The so-called wallet, activated by Jed, is then "in charge" of selling the XRP. A rigorous routine is also in place. Wait 09:00 UTC and you will see on the ledger the first "create offer". Offer that is usually selling 1M XRP for USD Bitstamp (IOU). Keep an eye on the XRP:USD.Bitstamp orderbook and you will see that the order is algorithmically managed. The price (exchange rate) of the limit order is, if needed, constantly adjusted. As an example, last Thursday (2020-02-20), the limit order was canceled and re placed 13 times. Jed aims to sell the XRP. The more the offer is at the edge of / at a competitive price on the orderbook, the more chance it has to be filled. However, this Saturday morning, 22 February 2020, Jed's automated bot sold 1.7M XRP for ... $188,456 USD, meaning that it sold at an approximate XRP:USD price of ... 0.11 USD. The price this Saturday morning being around 0.271 USD. The candle below highlights the magnitude of the slippage. Details of the transactions: https://bithomp.com/explorer/E470541E262C6DA171CFCBBD7A115A0F12EADE6B21360DDDC936723093CF6528 https://bithomp.com/explorer/4D705B1F0EC0C4B3DD01198EBDC01345528067F5CC3C280FB16D1C1FED9A8636 https://bithomp.com/explorer/AD536145D6F76EF8E019E897C200F4635DD20ABEE8EC2B20C9140706057C5E5D A trade has two participants, a buyer and a seller. Selling at a discount of 0.59% means that an individual (or group of individuals) made approx 270,000 USD of profit this morning. Luck or Jed's bot generosity is not, as you guess, the explanation of the dramatic event. The attacker (https://bithomp.com/explorer/raBmhBNmYFGe5hJ5Gez2MbpNspewctCAGv) has been preparing his/her/their coup de grâce. Although only successul today, the attacker has been groping for the flaw. Transaction activities of the wallet indicate that the wallet has been active on the XRP:USD.Bitstamp trading pair for at least two months. The wallet sold this morning around 1M XRP, cleaning all the liquidity / depth of the bids of the orderbook, then placed the first killing order (1) that Jed's bot decide to take, then the second killing order (2). Jed's bot also hit the bid for the latter. (1): https://bithomp.com/explorer/FEDC30F932389FC34D126172E26ACD10D79CAD78ACEA360B44B82ABA25868087 (2): https://bithomp.com/explorer/0E3372A2F43154B02100CEF29C941FBC85084EF2BDCA65FA7DCD4ACA709F214E The attacker does not act alone. Sub-wallets 1 (https://bithomp.com/explorer/rHjzw8L2ZBNhLfWw3yv8AY1hf1QYnRMriR) and 2 (https://bithomp.com/explorer/r9ujfsgebDGPEoQP7WFYcVrhEKQZPKVGd7), activated by the one mentionned above, looked like to have specific roles. Mostly create counter orders, allowing front running kind of strategy. To be continued... Many interesting unanswered questions: - What was the specific technical flaw the attacker took advantage of? - What is the profitability of the attack? (taking into account potential front running costs - previous tests / iterations before finding the flaw) - Will the attack repeat itself tomorrow? / Had Jed noticed the event? (2/2) - 25 February 2020 Yes. As you can see below, the attack was repeated every day since the first successful attempt. More active market participants during the week than the weekend has probably a positive impact (less slippage) on Jed's bot loss, although today's data indicate that the attacker had a +10% discount on the XRP bought. When yesterday, on Monday February 24th, many bids populated the orderbook, therefore reducing the potential slippage and the arbitrage gain, the attacker does not seem to be discouraged. The malicious wallet even sent few payments with some interesting memo (here below) to push for more cooperation... Cooperation that was indeed tried, successfully or not, in the past. Look at the memo below regarding a payment sent early January. A payment got some echo (payback, as a sign of approval for cooperation?) on at least one receiver. Please note that the client description below recalls some other events (https://medium.com/@john.cantell/hi-renier-8f887aee027b). John Nash would have been proud. Even in a decentralised exchange the concept of game theory can stand. Memo can support text messages, allowing market participants to communicate with each other and therefore, look at decision not in isolation but as being part of different interactions. As regards Jed's bot flaw, it seems that the algorithm takes decisions based on: the distance to the best ask: replacing the order to make sure that it is at the edge of the ask side the bid ask spread the volume depth of the bids: Jed's bot hits the attacker bids (in all examples), meaning that Jed's bot decides to hit the bid if the slippage is not too important and if a tight spread (mentionned above) is true Note that the above are assumptions and educated guesses. Digging into the transactions is probably the best way to know more about it. I am quite surprised that (my assumption) there is no outside / off ledger element Jed's bot relies on. For instance, the XRP:USD spot price of another (liquid) market, making sure that the decision to place an order on the ledger at x price is not irrational compare to the latter. The best for that being probably the BitMex XRP:USD spot index (https://www.bitmex.com/app/index/.BXRP). Peace.

Question for the more tech savvy among us: I joined one of the Discord channels that David Schwartz posted about last night. In one of the chats a guy posted a link to a Google Doc of upcoming ICOs. I clicked on it and after when I went to log in to one of my exchanges I got a safety warning from my computer (Mac) which hasn't happened before. I think the warning was about that the site might not be private (I can't remember exactly). Obviously I did not proceed to be log-on. I also realise this might just be a coincidence. Anyone have any knowledge about how secure Google Docs are? I assume they can be used to phish too but not certain. How do I clean my Mac? I realise these might be naive questions, but can't be too sure when it comes to zerps (and other cryptos).