In Failed Bitfinex Exploit Attempt, Billions in XRP Moved

A feature of the XRP Ledger network was used in an unsuccessful exploit attempt on prominent crypto exchange Bitfinex, chief technology officer Paolo Ardoino confirmed in an X post on Monday.

Nearly $15 billion worth of XRP were flagged by on-chain service WhaleAlerts to be moved in an apparent transaction early Monday – amounting to nearly half of the token’s $31 billion market capitalization.

But the actual transfer was just for a few cents worth of XRP, and failed as the sender “did not have enough liquidity,” blockchain data from the transaction shows.

The motive was to seemingly trick Bitfinex into taking the transfer as real, which could have possibly opened the door to a hack. However, Bitfinex’s systems flagged the transfers as a “partial payment,” an XRP Ledger feature that allows a payment to succeed by reducing the amount received.

“Someone attempted to attack @bitfinex via “Partial Payments Exploit”, Ardoino said on X. “Attack failed since Bitfinex properly handles 'delivered_amount’ data field.”

Partial payments are useful for returning payments without incurring additional costs to oneself. These are a known attack vector, XRP Ledger transactional documents show.

“If a financial institution’s integration with the XRP Ledger assumes that the Amount field of a Payment is always the full amount delivered, malicious actors may be able to exploit that assumption to steal money from the institution,” the documents state.

“The malicious actor withdraws as much of the balance as possible to another system before the vulnerable institution notices the discrepancy.”

Security risks remain a huge concern in the broader cryptocurrency market. In 2023, users lost nearly $2 billion to scams, rug pulls and hacks.