Jump to content
ripplerm

[Solved]: a Bug and a new kind of Attack on RCL.

Recommended Posts

=== Edited =================

the bug was fixed on 12-Mar-2017.

commit on github: https://github.com/ripple/rippled/commit/0b187a6a4eb503c91efca997aae32c4c9b45f115
release note: https://github.com/ripple/rippled/commit/2e632b166074b64164ce6b0f5b49a05b42e8090e

the bug detail: https://www.xrpchat.com/topic/3216-warning-a-bug-and-a-new-kind-of-attack-on-rcl/?page=5#comment-30094

 

===  original content below ====

This was first reported by some chinese users in the community of Ripplefox. They found that their IOUs was stolen by unknown party (through some mechanism similar to rippling) without their consent. After some discussion with @liangran2012 (owner of Ripplefox), we had come to a conclusion that those attacks were performed by exploiting a bug in RCL transaction processing algorithm, and we both manage to reproduce similar hacks.

According to our observation, thousands of accounts on RCL had become potential target of the attackers.

 We had just report the problem toRL, and hope they can solve the issue ASAP.

 

while waiting for the fix, here's what we can do:

 

1. Check your account for any incoming Trustline.

If there's one from unknown party, and it's holding your IOU (negative balance from your perspective), then your account is at risk.

You should freeze the trustline immediately, or stop using this account for receiving any incoming fund (IOUs in same currency).

 

2.  Do NOT set non-zero Trust-limit to any bad gateways (e.g. Payroutes, RippleSingapore, SnapSwap, etc.)

If you are also holding some IOUs (same currency) issued by other good gateways.

the NO_RIPPLE flags cannot protect your account from this new attack method.

 

 

The good news is,

if you see no incoming trustlines on your account,

nor had you ever connected to any defaulted-gateway,

then your account should be pretty safe for the moment.

 

 

However, there's one more stuff to take cautioun:

3. Beware of exchange rate whenever you try to perform cross-currency payment from any wallet client,
(including "Exchange" tool in old Ripple-Desktop-Client/Admin-console, which is just a cross-currency-payment to yourself).

Always double check the rate before continue. Do NOT try to execute any payment/exchange that's show some insane figure.

For example, DON"T proceed if you saw a payment option like this:

demo.png.942e6bc6788ae3c89f4c6fcf14ba38ee.png

 

 

 

 

 

Edited by ripplerm

Share this post


Link to post
Share on other sites

Should I delete any of these Trustlines?

Gatehub Fifth

BTC - Gatehub

rh7WFDNxbZ7zfpvpUh5kjrfpGPkDodZFvr

Mr.Ripple

Ripple Exchange Tokyo

Gatehub

Bitstamp USD

Gatehub

The Rock Trading

Ripula

I added them manually, and I own IOUs!

Share this post


Link to post
Share on other sites
47 minutes ago, ripplerm said:

2.  Do NOT set non-zero Trust-limit to any bad gateways (e.g. Payroutes, RippleSingapore, SnapSwap, etc.)

1

So, how can one set zero trust-limit in GateHub wallet?

 

Share this post


Link to post
Share on other sites
10 minutes ago, papa said:

Why is this topic posted as a WARNING in the title instead of in the form of a question if the OP cannot be verified prior to posting? 

 

Because it's a big warning, it's just a security issue...

According to ripplerm someone found a vulnerability in the protocol to exploit a rippling-like feature.

ripplerm is a serious guy, so it's not a fake.

Share this post


Link to post
Share on other sites

@DanielW if you trust all these gateways, and feel okay should any rippling happen, nothing you need to do.

else, just set the trustlimit to zero. (you don't need to delete the trustline) You can still hold, buy & sell the IOUs with a zero- trust-limit.

@T8493, sorry I had no idea how to use Gatehub wallet.

Share this post


Link to post
Share on other sites
Quote

 We had just report the problem toRL, and hope they can solve the issue ASAP.

They already submitted a security report.

ripplerm came here to warn users and for giving a workaround!

Share this post


Link to post
Share on other sites
47 minutes ago, DanielW said:

Should I delete any of these Trustlines?

Gatehub Fifth

BTC - Gatehub

rh7WFDNxbZ7zfpvpUh5kjrfpGPkDodZFvr

Mr.Ripple

Ripple Exchange Tokyo

Gatehub

Bitstamp USD

Gatehub

The Rock Trading

Ripula

I added them manually, and I own IOUs!

In my opinion you should put a 0 limit to :

rh7WFDNxbZ7zfpvpUh5kjrfpGPkDodZFvr

Mr.Ripple

Ripple Tokyo

The Rock Trading

Ripula

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...