May 2019 - BitoPro XRP Partial Payment Theft - $2.122m (Taiwan)
"BitoPro is developed by BitoEX team, who started BitoEX in 2014 which provides cryptocurrency solutions such as digital wallet, business application, financial auditing and more."
"BitoEX team is committed to lead digital currency industry, as BitoEX offers customers comprehensive services in excellent quality and unique branding. BitoEX is also expected to provide ease the process of entering digital currency for everyone."
"In 2017, reacting to the increasing market demand, BitoEX team starts to plan and develope cryptocurrency exchange platform - BitoPro." "The BitoEX team launched the International Digital Assets Exchange Platform - BitoPro in early 2018. Now, through the BitoPro App users can check prices in real time of BTC, ETH, LTC, BITO, MITH, TRON etc. Also the app shows market depths, allowing for more precise trading plus the function to deposit your cryptocurrencies. Managing your digital assets have never been so easy." "We are looking forward to satisfy our customer by providing fast and economical trading services."
"BitoPro is decentralized cryptocurrency exchange located in Taiwan. It has trust score 8. More than 138K traders trade on this exchange. It currently has a 24-hour trading volume around ₿444.27 from 16 coins and 26 trading pairs."
"Taiwan exchange BitoPro's XRP suffered an attack that caused a price crash and is thought to have lost about 7m XRPS." False top-up
"[A] user managed to withdraw 7 million ‘real’ XRP tokens from a Taiwan-based crypto exchange called BitoPro."
"Because often the exchange (especially the new ones supporting $XRP) wasn't aware of the existence of "partial payment"! Thus using the wrong parameter "Amount' to record the payment. The CORRECT parameter to use is and should always be "DeliveredAmount" ‼️"
"The said vulnerability allows a user to fake an XRP deposit transaction and then dump the sent “XRP” tokens on the exchange. In this case, the crooked user faked a deposit of 330,000 XRP, but the actual XRP delivered were just 0.003255 XRP. In effect, BitoPro ended up losing 7 million XRP. Bitrue took the step to expose the flaw and let other exchanges and users know about it to save them from further loses."
"According to Bitrue, there have been around 148 such transactions made since March 8. Bitrue also intimated that a user had attempted the same trick on its platform, but the attack was quickly tackled as Bitrue had already instituted measures to prevent it."
Further Analysis
Unconfirmed by BitoPro, there was an apparent exploit where the BitoPro exchange accepted a partial payment of XRP, which may then have been withdrawn from the exchange platform.
There doesn't appear to have been any follow up by BitoPro, so it's possible that the exploit did not result in a successful withdrawal on the exchange platform, or that the exchange thought it best to avoid mentioning what had happened publicly.
How Could This Have Been Prevented?
If there was an exploit that resulted in a withdrawal from the platform, this was the result of a misconfigured wallet on the platform. This type of situation can be avoided by a thorough understanding of the chain being used, and detected by a shortfall of balance between the database and blockchain. This type of situation is likely to happen only once to a platform, if not already caught by a decent team.
More Cryptocurrency Exchange Hacks/Scams/Frauds
MakerDAO Governance Vulnerability > > < < CoinRoom Goes Boom
Sources/Further Reading
SlowMist Hacked - SlowMist Zone (Jun 26)
Someone Utilized the 'Partial Payments Exploit' In The XRP Ledger And Got Away With 7 Million XRPs From An Exchange (Aug 5)
@BitrueOfficial Twitter (Aug 5)
@BitrueOfficial Twitter (Aug 5)
關於BitoPro (Aug 6)
BitoPro 台灣幣託交易所 (Aug 6)
BitoPro Crypto Exchange - Apps on Google Play (Aug 6)
BitoPro. Trade Volume, Trade Pairs and Info - BeInCrypto (Aug 6)
Taiwanese exchange BitoPro attacked, losing about 7 million XRP - ATF News (Aug 6)
Taiwan Exchange BitoPro hacked due to XRP partial payment - Page 2 - Technical Discussion - XRP CHAT (Aug 6)
XRPL Explorer (Aug 6)
A “Partial Vulnerability” in XRP Ledger Leaves 7 Million XRP Exposed, As Bitrue Explains the “Bug” (Aug 6)
@hallwaymonitor2 Twitter (Aug 6)
XRP price today, XRP live marketcap, chart, and info | CoinMarketCap (Aug 7)
The 23 exchange hacks of 2019 (Aug 8)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|