QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$150 000 USD
OCTOBER 2014
NORWAY
JUSTCOIN
DESCRIPTION OF EVENTS
"Justcoin was founded in May 2013 by Andreas Brekken and Klaus Bugge Lund in Oslo, Norway." "Users can deposit using bank wire (EUR, USD, NOK) and trade in BTC/EUR, BTC/USD, BTC/NOK, BTC/LTC, BTC/XRP. Justcoin is also a Ripple gateway. Currently the platform sports more than 60,000 users from the whole world and supports trading of the following (digital) currencies: NOK, EUR, BTC, LTC, XRP and STR." "Funds are deposited and withdrawn through domestic bank transfers for NOK and through SEPA and wire for EUR and USD." "20,000 registered users as of March 2014."
"You are receiving this email because you have a balance of XRP at Justcoin. XRP deposits, withdrawals and trading have been disabled for the last three days. This is an explanation of what has happened and what the status is."
"A network-wide weakness in how both Ripple and Stellar communicated transactions was exploited by an unknown third-party to to deposit false IOUs through Ripple/Stellar to Justcoin. These were consequently withdrawn to their own payment networks as native currencies. The result was that our hotwallets were emptied. Most of our customers' funds is in cold storage but the amounts were still significant. Justcoin will not operate as a fractional reserve and therefore we decided to lock down all services affected until we had a solution ready."
"The current problem appears to have come from the tfPartialPayment function unique to the Ripple paradigm. Both Stellar and Ripple require a “special trust” in certain nodes that leave those nodes vulnerable to attack." "When the tfPartialPayment flag is enabled, the Amount field is not guaranteed to be the amount received. In fact, there is no minimum guaranteed amount that a partial payment actually delivers." "The problem was noticed by users on the Justcoin exchange on October 8, 2014 when one of the team members noticed a large, and unusual, digital transaction. Once Justcoin noticed the transaction, they immediately shut down the entire site to protect the assets and immediately informed both Stellar and Ripple Labs of the potential problem." "Total value is ~150k USD in XRP and STR. Stolen assets are 100% trackable with limited exit points, mostly still in 1 account?"
"The event is relatively easy to explain. Ripple has many features for their users but they also have many others that have not been implemented and a few that are not even known to many outside developers, which could be why Ripple Labs did not notice this particularly strange transaction." "Perhaps this is why Ripple/Stellar developers and users did not notice a special transaction flag called tfPartialPayment. It’s poorly documented and not used by any wallet software. It’s like receiving a 100 USD bill with a little note in the corner that says “Actually just worth 1 USD”."
"The transaction was for 1,000 BTC but if anyone checked the Meta - it showed that only 0.001 BTC had actually been sent. Upon tracking back, it appeared that the sender did not even have 1,000 BTC to send to anyone so basically it appeared as if the hacker was trying to fool someone into thinking that they had actually sent the thousand Bitcoins when they actually only sent a tiny amount. The problem arose, however, when transaction actually went through. So far Ripple has said it fixed the bug on October 9 on RippleTrade and Stellar also appears to have fixed the bug but Ripple.com/graph does not appear to have been fixed as yet."
"Justcoin cannot and will not accept taking the responsibility for this weakness in the network. It is caused by a feature that is poorly documented and has been present in both Ripple and Stellar for a long time. Other gateways, exchanges and native transaction explorers have also been affected. There is also documented that the security vulnerability has been known by the network developers for at least 2 months without any kind of explicit and direct warning to affected gateways and other services."
"The result is that as of now there will be imposed a partial 'hold' on all XRP balances. This hold will be representing the amount of XRP that is missing. Deposits will be disabled until we are 100% confident that we are no longer affected by this weakness or any other yet undiscovered. Deposits that have been made between the shutdown and now will be credited in full once deposits are opened. Trading and withdrawal of the XRP that is not on hold is now enabled. Please allow delays on withdrawals due to moving of funds from cold storage to hot wallet. The percentage of each XRP balance that is on partial hold is 23.27%."
"We can assure you that it is our intention that the partial holds will be lifted. We are looking at different options and are having a dialogue with Ripple Labs and Stellar foundation. We will try to figure out a way to solve this, one way or another. Expect regular updates."
"Stellar is reporting that their nodes have been patched and tfPartialPayment has been permanently removed and RippleTrade is also reporting that it has been patched along with several of its exchanges as well."
"This week, we learned of an issue related to a payment setting feature known as “partial payments” that existed in the legacy code base of the Stellar protocol. As it exists in the Ripple code base, partial payments allow a user to send a small part of a payment rather than the entire payment. For example, the sender could tell the anchor that s/he was sending 10 BTC while actually only sending .0001 BTC. This feature is rarely, if ever, used in practice. Normally, an anchor must check the “Amount” field to determine how much they received as it is the only field returned. However, in the case of a partial payment transaction, the “DeliveredAmount” field appears and the anchor must check the “DeliveredAmount” field instead. If an anchor or other entity is unaware of this setting, it could result in loss of funds."
"On Oct 8, we informed all known anchors of this issue then updated the Stellar code base to remove this feature, as it added unnecessary complexity for little value on a protocol level. This particular issue no longer exists on the Stellar network."
"Short after this, the Scandinavian Bank working with the exchange turned its backs on the exchange announcing they were removing their support which worsened the situation to the exchange. Following this sad events, the exchange owners decided they were to close the exchange, since it was no longer able to satisfy their customers."
"Justcoin’s bank, DNB, Norway’s largest financial institution, stated they were not banning bitcoin companies; however, they were considering it. Justcoin immediately warned the public. They immediately started to inform each customer and all the shut down process was made in a completely transparent manner. In fact the exchange tried to send an email informing each and every client what was happening while asking customers to withdraw their funds."
"ANX has been servicing clients since June, 2013. It was founded by two Australians and a Canadian, and is incorporated in Hong Kong." "ANX is pleased to announce its recent acquisition of Justcoin.com, a leading cryptocurrency exchange platform from Norway. ANX will begin offering crypto-currency exchange services to Justcoin’s existing customers effective November 24. Orders will be placed on the Justcoin will be available on the ANX orderbook as well, increasing liquidity and access to the best prices." "ANX recently undertook a full third party cash and crypto audit."
"The [JustCoin] service was halted in early 2017 due to uncertainty related to regulatory requirements issued by the Norwegian government."
The JustCoin platform was founded in May 2013 in Oslo, Norway. In 2014, a new feature existed on the Ripple and Stellar blockchains called "partial payment". This allowed the sender to send only part of a payment to the recipient, with the amount of the payment still showing the full amount. The feature wasn't documented properly and some platforms including JustCoin were vulnerable because they credited customers the full amount instead of just the partial deposit in this case. It appears that $150k was stolen from the exchange platform, and it's unclear if any was recovered. The feature has since been disabled on both Ripple and Stellar blockchains.
HOW COULD THIS HAVE BEEN PREVENTED?
There are many methods of resolving this. The first is around additional reviews of the platform security, and how deposits are credited to accounts. A second would be security around withdrawals, preventing those if the balances in the wallet fail to match what's expected. The third is around a reduction in the size of the hot wallet, which would reduce the risk. And finally, an industry insurance fund could cover any remaining events.
Stellar and Ripple Hacked: Justcoin to the Rescue (Mar 26)
Email from Justcoin about their hacking - General Discussion - XRPtalk (May 15)
Justcoin - Bitcoin Wiki (May 15)
Justcoin Exchange (May 15)
https://www.crunchbase.com/organization/justcoin-exchange (May 15)
Justcoin Exchange to Reopen | Bitcoinist.com (May 15)
https://medium.com/@abrkn/partial-payments-ripple-stellar-vulnerability-in-the-wild-29aaefd8a7ac (May 15)
Ripple Forum • View topic - justcoin blog:Partial Payments: Ripple/Stellar vulnerability (May 15)
