Share this article
Tech
In Failed Bitfinex Exploit Attempt, Billions in XRP Moved
The failed token transfers spooked some market watchers as they amounted to nearly half of XRP’s $30 billion market capitalization.
Updated Mar 8, 2024, 7:57 p.m. Published Jan 15, 2024, 6:48 a.m.
A feature of the XRP Ledger network was used in an unsuccessful exploit attempt on prominent crypto exchange Bitfinex, chief technology officer Paolo Ardoino confirmed in an X post on Monday.
Nearly $15 billion worth of XRP were flagged by on-chain service WhaleAlerts to be moved in an apparent transaction early Monday – amounting to nearly half of the token’s $31 billion market capitalization.
But the actual transfer was just for a few cents worth of XRP, and failed as the sender “did not have enough liquidity,” blockchain data from the transaction shows.
This tweet is misleading. The transaction in question did not transfer 25B XRP.
— 𝙽 𝙸 𝙺 𝙱 (@nbougalis) January 14, 2024
The @whale_alert code is misunderstanding what this transaction did and, as a result, it is misreporting.
It’s a partial payment, and in reality moved just a few cents. See https://t.co/co4sMIIesO
The motive was to seemingly trick Bitfinex into taking the transfer as real, which could have possibly opened the door to a hack. However, Bitfinex’s systems flagged the transfers as a “partial payment,” an XRP Ledger feature that allows a payment to succeed by reducing the amount received.
“Someone attempted to attack @bitfinex via “Partial Payments Exploit”, Ardoino said on X. “Attack failed since Bitfinex properly handles 'delivered_amount’ data field.”
Partial payments are useful for returning payments without incurring additional costs to oneself. These are a known attack vector, XRP Ledger transactional documents show.
“If a financial institution’s integration with the XRP Ledger assumes that the Amount field of a Payment is always the full amount delivered, malicious actors may be able to exploit that assumption to steal money from the institution,” the documents state.
“The malicious actor withdraws as much of the balance as possible to another system before the vulnerable institution notices the discrepancy.”
Security risks remain a huge concern in the broader cryptocurrency market. In 2023, users lost nearly $2 billion to scams, rug pulls and hacks.
Shaurya Malwa
Shaurya is the Co-Leader of the CoinDesk tokens and data team in Asia with a focus on crypto derivatives, DeFi, market microstructure, and protocol analysis. Shaurya holds over $1,000 in BTC, ETH, SOL, AVAX, SUSHI, CRV, NEAR, YFI, YFII, SHIB, DOGE, USDT, USDC, BNB, MANA, MLN, LINK, XMR, ALGO, VET, CAKE, AAVE, COMP, ROOK, TRX, SNX, RUNE, FTM, ZIL, KSM, ENJ, CKB, JOE, GHST, PERP, BTRFLY, OHM, BANANA, ROME, BURGER, SPIRIT, and ORCA. He provides over $1,000 to liquidity pools on Compound, Curve, SushiSwap, PancakeSwap, BurgerSwap, Orca, AnySwap, SpiritSwap, Rook Protocol, Yearn Finance, Synthetix, Harvest, Redacted Cartel, OlympusDAO, Rome, Trader Joe, and SUN.
