Jump to content
yxxyun

Taiwan Exchange BitoPro hacked due to XRP partial payment

Recommended Posts

48 minutes ago, Hodor said:

It's not a bug.  It's a feature that new exchanges sometimes don't understand, and it's clearly documented and warned about:

https://developers.ripple.com/partial-payments.html

 

I wonder if exchanges get any training when they start trading XRP. Maybe a training/technical help company could be financed under the Xpring initiative..

Share this post


Link to post
Share on other sites
3 minutes ago, ed1 said:

I wonder if exchanges get any training when they start trading XRP. Maybe a training/technical help company could be financed under the Xpring initiative..

They could just open source their connection code and ask for reviews and/or ask for help here and/or hire someone who already knows XRPL.

If they already don't read documentation how would that company get in touch with exchanges?

Share this post


Link to post
Share on other sites
8 hours ago, yxxyun said:

Taiwan Exchange BitoPro just online XRP trading on their exchange recently, but didn't  handle partial payment correctly, hacker use this feature to fake deposit and then dump the fake XRP,  BitoPro's loss is about 7 million XRP.

Exchange mistake.  But here’s something for @yxxyun to stew on, real security issues.

 

Edited by Phintech

Share this post


Link to post
Share on other sites
Guest

Is there a public statement or article about this? 

I'm not seeing anything on their site, Twitter, Medium or Facebook. 

Edited by Guest

Share this post


Link to post
Share on other sites
Guest
7 minutes ago, xrpscan said:
Quote

 

According to the BitoPro data, the 24-hour trading volume of the Ripcoco is 9,486,522, which is conservatively estimated to sell about 7 million Ripple coins. Based on the current data of CoinMarketCap, the current price of Ripco is about NT$9, up to NT$63 million.

However, in response to the plunge, the Chief Executive of the Currency, Zheng Guangtai, told the moving area today that there were not so many actual losses, mostly false transactions.

The actual amount of the loss is still pending announcement by the exchange.

According to the Ripple Distributed Book Browser, two Ripplecoin addresses (1, 2) that may be owned by the currency are displayed. BitoPro only placed the Ripple Coin (XRP) transaction on April 29, and was on the third day of the run. According to the traceability analysis of the blockchain security team Diffuse Technology, the attack may be a mistake in the recharge and proofreading of BitoPro and XRP decentralized books, so there is a recharge hole.

Zheng Guangtai also said that the coin-trust engineering team is in the process of repairing and will formulate a user compensation plan after the roll-back transaction to further announce.

So I guess we'll have to see how much was actually hacked unless @yxxyun has a source for the amount hacked.. From the article, 7 million doesn't appear to be how much was hacked, rather sales or volume. It's Google translated. 

Edited by Guest

Share this post


Link to post
Share on other sites
2 hours ago, Sukrim said:

It is apparently cheaper for them to lose 2 million USD than to ask first publicly or read documentation. I'm not sure if there's really a market for these services.

Usually in these kind of situations the good starting point would be to make market research first where several cryptocurrency exchanges are polled or even interviewed before the new company will be founded. The results might give insight about the market demand. I agree it could be hard sell to get customers today but maybe in near future the demand will be there. At least the exchange hacks will do part of the selling of their own.

1 hour ago, Sukrim said:

Well, the bug was in the software of the exchange, not in rippled.

"After inspecting the code of your software we found out vulnerabilities X, Y and Z. Here is the IT security report for X,XXX USD. We can fix these vulnerabilities for you with additional price tag XX,XXX USD or you can employ someone else to fix them for you."

Share this post


Link to post
Share on other sites
1 hour ago, Phintech said:

Exchange mistake.  But here’s something for @yxxyun to stew on, real security issues.

 

This is quit interesting, I think should be discussed in a new topic. 

Lazy validator operators use the default configuration causing centralization.

Share this post


Link to post
Share on other sites
2 hours ago, hallwaymonitor said:

Usually in these kind of situations the good starting point would be to make market research first where several cryptocurrency exchanges are polled or even interviewed before the new company will be founded. The results might give insight about the market demand. I agree it could be hard sell to get customers today but maybe in near future the demand will be there. At least the exchange hacks will do part of the selling of their own.

"After inspecting the code of your software we found out vulnerabilities X, Y and Z. Here is the IT security report for X,XXX USD. We can fix these vulnerabilities for you with additional price tag XX,XXX USD or you can employ someone else to fix them for you."

For security audit: 

https://www.slowmist.com/en/index.html#service 

and my source is from them.

Share this post


Link to post
Share on other sites
42 minutes ago, yxxyun said:

For security audit: 

https://www.slowmist.com/en/index.html#service 

and my source is from them.

This is what I was talking about. I bet there will be more and more demand for these kinds of services especially in near future.

  • Crypto world will very likely grow as more consumers and institutions will join especially after the next bull market. The more money in the crypto ecosystem the more scammers/hackers will try to get piece of the pie.
  • Regulations are coming. In future it won't be so easy to found new shady crypto exchange and start to hussle.
  • Quadriga incident: https://www.bbc.com/news/world-us-canada-47203706
  • Very basic spoon feeding of the best practices. Yes, you could just Google stuff and figure out on your own but if even something like Coinbase manages to screw up very basic stuff then I'm afraid there are similar stuff in many other exchanges. https://ambcrypto.com/coinbase-xrp-destination-tag-rumpus-how-a-missing-number-led-to-loss-of-funds-and-a-twitter-war/
  • Performed IT audits can be used in the marketing because they might bring new customers to the exchange.

2.jpg

2019-05-02 20_02_25-SlowMist - Focusing on Blockchain Ecosystem Security (Exchange Security Audit _ .jpg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...