The Ripple CTO David Schwartz recently shed light on the 25 billion XRP transaction attempt, which sought to exploit Bitfinex by leveraging the XRP Ledger (XRPL) partial payments feature.
The Crypto Basic disclosed yesterday that Whale Alert, a leader in whale tracking services, erroneously sent out an alert for a 25 billion XRP transaction, giving a false impression that the transaction was successful.
Expectedly, the disclosure caught the eye, given that the transaction purportedly moved nearly half of XRP’s total circulating supply. This would have marked the single largest XRP transaction in history.
However, it was discovered that the transaction was unsuccessful, but the whale-tracking resource encountered an error while reading the XRPL data. In addition, Bitfinex CTO Paolo Ardoino noted that the transaction was an exploit attempt on Bitfinex.
Notably, the attackers leveraged the XRPL’s partial payment feature, which allows a sender to specify a particular amount in the “Amount” field but send a much smaller amount.
The exploit failed because Bitfinex handles partial payments correctly by focusing on “Delivered Amount,” not “Amount.”
Ripple CTO Clears the Air
Nonetheless, in a report from crypto-focused media outlet CoinDesk, the headline suggested that 25 billion XRP did, in fact, “move.” David Schwartz commented on this, emphasizing that it is misleading to state that “billions of XRP” moved.
The “billions of XRP moved” statement is misleading, the actual amount transferred was worth just a few cents. Kudos to @Bitfinex and @paoloardoino for effectively neutralizing an exploit attempt.
What happened here isn’t a flaw or vulnerability with the XRP Ledger. The Partial… https://t.co/qucpX7yJ7B
— David “JoelKatz” Schwartz (@JoelKatz) January 16, 2024
According to Schwartz, the actual amount that the transaction moved was valued in cents, not billions. He admired Bitfinex and Arduino for foiling the hack attempt but confirmed that the situation was not due to an XRPL vulnerability or flaw.
Schwartz emphasized that the Partial Payment flag is a secure feature on the XRPL, not a bug. Notably, the feature is useful when a sender wishes to return any unwanted payments made to his address without incurring any cost to himself.
However, some malicious actors might seek to take advantage of the feature and exploit an institution’s faulty configuration in terms of handling partial payments.
The Ripple CTO stressed that the attack on Bitfinex was unsuccessful because the exchange handles partial payments correctly.
“Today’s thwart is a strong reminder to all institutions and applications – the importance of proper configuration and integration cannot be understated,” David Schwartz added, sharing a link to the partial payments document for further education.
How Does the Partial Payments Exploit Work?
For the uninitiated, attackers deploy the Partial Payments exploit by specifying a large amount in the “Amount” field of a transaction to an institution.
However, they send a much smaller amount. While the transaction is successful and shows large funds in “Amount,” it actually delivers a fraction of the specified amount.
If the institution’s system focuses on the “Amount” and ignores the “Delivered Amount” field or the partial payments flag, the firm could credit the attacker with the full funds it notices on the “Amount” field, not knowing that what was delivered was in fact much smaller.
The XRPL document also cautions that malicious actors can also take advantage of the feature to defraud merchants. They do this by sending a much smaller amount than what is specified in the “Amount” field.
If the merchant focuses on this amount, ignorant of the Partial Payments flag, he could release the goods or carry out the services for the payment, not knowing that the actual amount delivered to the receiving address is much smaller.