Another crypto exchange has fallen foul to an exploit that takes advantage of a feature of the XRP blockchain. This type of attack has now been successfully carried out at least 149 times on around 60 exchanges, including HitBTC, and Bitpanda.
Beaxy, which launched in June 2019, went down for unexpected maintenance (always a bad sign) yesterday after noting suspicious trading activity. That suspicious activity appeared to be several large trades of XRP, which caused its price to drop 40 percent in its trading pair with bitcoin. By the time the dust had settled, XRP was worth just 0.00001 bitcoin.
The exploit was made possible because Beaxy, like many other exchanges, had used the wrong parameters to ensure transactions were being paid. XRP is unique in that it can show transactions that have been paid in part, unlike other blockchains where you either have a transaction or you don't. This means there are two different "amount received" parameters—and Beaxy was using the wrong one. Exchanges have to make sure that when they set their systems up for XRP, to select the right one.
As a result, the hackers made a transaction for a large amount of XRP but only had to pay a tiny fraction of that amount. Since the exchange automatically registers the partial payment as though it was completed, it credits the hackers’ account with however much they claimed to deposit.
In this case, the hackers most likely sold a chunk of the funds for bitcoin, to potentially acquire XRP on the cheap on another of their accounts. The good news is the exchange plans to roll back a number of trades made during that time.
While the exchange did not reveal how much money had been stolen, it remained confident that it would be able to get its money back. It will do so by using the hackers’ know-your-customer information and pressing charges against them. That is, as long as they were foolish enough to use their actual identities. One can only hope.
This article has been update to reflect that the exploit did not succesfully steal funds from Changelly; they were caught by its security team.