Jump to content
Sign in to follow this  
codiusrex

Failure to install software correctly leads to XRP debacle @ Beaxy Exchange

Recommended Posts

I hope this is explored by someone with more knowledge than myself or the majority of folks. If it was a user error then that can be corrected. If it is a software glitch then it is better now than when than when the system is up and running at full commercial scale, so that the exploit can be corrected. Either way it sheds light on an issue of either user friendliness and or technical.

Share this post


Link to post
Share on other sites

For those (myself included) that didn't know what a 'partial payment exploit' was until now:

https://xrpl.org/partial-payments.html#partial-payments-exploit

From what I'm gathering, the exchange was receiving payments, marked as partial, with the delivered amount substantially less than the full amount.   Beaxy didn't catch this when completing an order, but somehow their pricing mechanism did, causing the price to plunge?

Share this post


Link to post
Share on other sites
Posted (edited)

This has been known for a very long time and there are so many warnings on xrpl.org about this. If you still get exploited like this it's because you really are lazy and incompetent. Pure laziness, just take 30 minutes of your time to read the goddamn exploit. You can read the entire article and figure out what to do (and certainly what NOT to do) in literally less than 20-30 minutes.

Using the delivered_amount field when processing incoming transactions is enough to avoid this exploit. Still, additional proactive business practices can also avoid or mitigate the likelihood of this and similar exploits. For example:

  • Add additional sanity checks to your business logic for processing withdrawals. Never process a withdrawal if the total balance you hold in the XRP Ledger does not match your expected assets and obligations.
  • Follow "Know Your Customer" guidelines and strictly verify your customers' identities. You may be able to recognize and block malicious users in advance, or pursue legal action against a malicious actor who exploits your system.
  • https://xrpl.org/list-xrp-as-an-exchange.html#partial-payments THERE'S A BIG FAT WARNING SIGN ON THIS SITE (LITERALLY) STATING THE FOLLOWING:
    • Before integrating, exchanges should be aware of the partial payments feature. This feature allows XRP Ledger users to send successful payments that reduce the amount received instead of increasing the SendMax. This feature can be useful for returning payments without incurring additional cost as the sender.

    • When the tfPartialPayment flag is enabled, the Amount field is not guaranteed to be the amount received. The delivered_amount field of a payment's metadata indicates the amount of currency actually received by the destination account. When receiving a payment, use delivered_amount instead of the Amount field to determine how much your account received instead.

    • Warning: Be aware that malicious actors could exploit this. For more information, see Partial Payments.

Finally, someone send them this too (in case they want to become a gateway :-))))))) https://xrpl.org/become-an-xrp-ledger-gateway.html#precautions . Processing payments to and from the XRP Ledger naturally comes with some risks. We recommend the following precautions:

  • Follow the guidelines for reliable transaction submission when sending XRP Ledger transactions.
  • Robustly monitor for incoming payments, and read the correct amount. Don't mistakenly credit someone the full amount if they only sent a partial payment.
  • Track your obligations and balances within the XRP Ledger, and compare with the assets in your collateral account. If they do not match up, stop processing withdrawals and deposits until you resolve the discrepancy.
  • Enable the RequireDest flag for the issuing address and all operational addresses, so customers do not accidentally send a payment without the destination tag to indicate who should be credited.

Another popular thing for the exchanges to complain about are the destination tags. Sorry, destination tag not mentioned, your money is gone, nothing we can do about it. Yeah, except maybe these steps:

Edited by crypto_deus

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...