Editors Note: As some readers have pointed out, there are differing opinions on just how significant this vulnerability is, or how many exchanges it affects. You can read Andreas Brekken's (Of Justcoin) inital post here, a Ripple thread detailing some questions about the inital post, and Justcoin's response can be found in this GlobalCryptoNews article here.
On October 11, a Justcoin digital currency exchange user posted XRPtalk that they had received an email from the Justcoin team alerting them of a hack due to the vulnerability of its tfPartialPayment feature. On October 8, an unknown 3rd party had exploited the systemic flaw in the way Ripple and Stellar handled transactions gaining them access to the platform’s hot wallet-stored funds.
“Dear Justcoin user,
You are receiving this email because you have a balance of XRP at Justcoin. XRP deposits, withdrawals and trading have been disabled for the last three days. This is an explanation of what has happened and what the status is.
A network-wide weakness in how both Ripple and Stellar communicated transactions was exploited by an unknown third-party to to deposit false IOUs through Ripple/Stellar to Justcoin. These were consequently withdrawn to their own payment networks as native currencies. The result was that our hotwallets were emptied. Most of our customers' funds is in cold storage but the amounts were still significant. Justcoin will not operate as a fractional reserve and therefore we decided to lock down all services affected until we had a solution ready.”
The full length letter can be found here.
The experts, the real thought leaders like Gavin Anderson, have been warning Bitcoin users that Bitcoin is still a “work in progress” and as such is subject to failures. We have seen more than a few in the last 18 or so months as the price volatility reflected these growing pains.
When Mt Gox went down, the effect was seen across the Bitcoin ecosystem and since then the same thing has happened several times. But while Bitcoin is still new and subject to slip ups, in many cases those mistakes are not the fault of the system as much as it is human error or negligence. Now the news is that Ripple and Stellar have also been hacked as well and it looks like this one can be traced to the latter.
There is still a great deal of confusion in the community as to exactly what has happened at Ripple Labs and at Stellar, which was designed by the same person, Jed McCaleb and consequently may have the same potentially fatal flaws. Interestingly enough, McCaleb was also the original founder of Mt Gox. These problems can range from a centralized authority holding a large chunk of initial funds to questionable management decisions by administrators. But the newest problem seems to have been one of a technical nature, albeit one that should have been fixed months ago.
The current problem appears to have come from the tfPartialPayment function unique to the Ripple paradigm. Both Stellar and Ripple require a “special trust” in certain nodes that leave those nodes vulnerable to attack. The problem was noticed by users on the Justcoin exchange on October 8, 2014 when one of the team members noticed a large, and unusual, digital transaction. Once Justcoin noticed the transaction, they immediately shut down the entire site to protect the assets and immediately informed both Stellar and Ripple Labs of the potential problem.
The event is relatively easy to explain. Ripple has many features for their users but they also have many others that have not been implemented and a few that are not even known to many outside developers, which could be why Ripple Labs did not notice this particularly strange transaction.
The transaction was for 1,000 BTC but if anyone checked the Meta - it showed that only 0.001 BTC had actually been sent. Upon tracking back, it appeared that the sender did not even have 1,000 BTC to send to anyone so basically it appeared as if the hacker was trying to fool someone into thinking that they had actually sent the thousand Bitcoins when they actually only sent a tiny amount. The problem arose, however, when transaction actually went through. So far Ripple has said it fixed the bug on October 9 on RippleTrade and Stellar also appears to have fixed the bug but Ripple.com/graph does not appear to have been fixed as yet.
One disturbing point is that gateway, Ripple Labs official gateway, was fixed more than two months ago and it would seem reasonable that Ripple would have spotted the potential problem and sounded warnings to its community. It was also reported that Ripple seems to have been aware of the problem as early as July 21 and so far several exchanges have also been attacked in the same manner.
Stellar is reporting that their nodes have been patched and tfPartialPayment has been permanently removed and RippleTrade is also reporting that it has been patched along with several of its exchanges as well.
Remembering the advice of Gavin Anderson, users should understand that even with the most competent developers, the software being used is still in BETA and must be constantly tested. It is somewhat comforting to know that while Ripple seems to have dropped the ball in as early as July the team at Justcoin was able to catch the hack before it did any significant damage.
Did you enjoy this article? You may also be interested in reading these ones: