Bitfinex, Binance thwart massive XRP heist
Tether’s sister crypto exchange, Bitfinex, faced an attempted exploit leveraging a feature of the XRP Ledger network. CEO Paolo Ardoino confirmed on X that the exchange successfully thwarted this attempt.
The incident involved an apparent transaction of nearly $15 billion worth of XRP, which is close to half of the token’s $31 billion market capitalization. However, the actual transfer was only a few cents worth of XRP and failed due to insufficient liquidity in the sender’s account.
In addition to Bitfinex, the attacker also attempted a similar exploit on Binance with a transfer of 58.9 billion XRP, which also failed.
The attempted exploit, known as a “partial payments exploit,” was initially detected when the blockchain tracking account Whale Alert reported a transaction of 25.6 billion XRP from an unknown wallet to Bitfinex. The aim of the exploit was to deceive Bitfinex into recognizing the transfer as legitimate, paving the way for a hacking attempt.
Ardoino explained that Bitfinex’s systems identified the transfers as a “partial payment,” a feature of the XRP Ledger that allows a payment to be successful by reducing the received amount. He added that the attack did not succeed because Bitfinex properly processes the ‘delivered_amount’ data field.
Partial payments are designed to facilitate the return of payments without additional costs. However, they are recognized as a potential attack vector. XRP Ledger transactional documents warn that if a financial institution’s integration with the XRP Ledger does not account for the possibility of partial payments, malicious actors might exploit this to siphon funds.
The exploit hinges on the assumption that the targeted company’s system might only read the amount field of an XRP transaction, which is set to a high amount, while the exploiter sends a much lower amount indicated in another transaction field, aiming to be credited for the higher amount.
Whale Alert later retracted its initial post, stating that there was an issue with reading the Ripple node response correctly, leading to some incorrect posts.
Bitfinex was hacked in 2016 to the tune of 119,756 BTC, which was worth $72 million at the time of the hack but is now equivalent to more than $5 billion given the inflation in BTC prices.
In terms of how the hack happened and the identity of hackers themselves, it’s still pretty vague despite indicting two Israeli brothers as partially responsible for the attack. All we know is that Bitfinex’s multi-signature accounts were somehow compromised, and the exchange distributed losses amongst all users to the tune of 36% of their balances.