Justcoin Wounded by Ripple Flaw

Justcoin CTO Andreas Brekken documented on his blog a flaw in the official Ripple gateway implementation wherein transactions may be credited for amounts far greater than the actual amount actually transacted. Justcoin customer balances are affected based on customer reports of an email sent by Justcoin. The culprit in the case is a transaction flag called tfPartialPayment which the Ripple wiki described thusly in older revisions:

For payments not exclusively XRP to XRP, indicates partial payment is ok. Normally, payment are all-or-nothing. This option allows arbitragers to take advantage of opportunities to the degree available without needed to predict the degree available. Non-transaction fees will come out of the amount specified by SendMax. This can be used for application such as: returning funds, arbitrage, and currency conversion. [source]

A substantial problem with this flag is that it isn't actually implemented correctly in any Ripple or Stellar1 client software while still being accepted across the network. The impact of the flaw was that Ripple Gateway/Wallet software could display an amount transacted far in excess of the actual amount transacted. On the XRPtalk forums an email was posted sent to customers by the Justcoin:

Dear Justcoin user,

You are receiving this email because you have a balance of XRP at Justcoin. XRP deposits, withdrawals and trading have been disabled for the last three days. This is an explanation of what has happened and what the status is.

A network-wide weakness in how both Ripple and Stellar communicated transactions was exploited by an unknown third-party to to deposit false IOUs through Ripple/Stellar to Justcoin. These were consequently withdrawn to their own payment networks as native currencies. The result was that our hotwallets were emptied. Most of our customers' funds is in cold storage but the amounts were still significant. Justcoin will not operate as a fractional reserve and therefore we decided to lock down all services affected until we had a solution ready.

Justcoin cannot and will not accept taking the responsibility for this weakness in the network. It is caused by a feature that is poorly documented and has been present in both Ripple and Stellar for a long time. Other gateways, exchanges and native transaction explorers have also been affected. There is also documented that the security vulnerability has been known by the network developers for at least 2 months without any kind of explicit and direct warning to affected gateways and other services. A thorough and technical explanation of the weakness can be read here: https://medium.com/@…ld-29aaefd8a7ac .

The result is that as of now there will be imposed a partial 'hold' on all XRP balances. This hold will be representing the amount of XRP that is missing. Deposits will be disabled until we are 100% confident that we are no longer affected by this weakness or any other yet undiscovered. Deposits that have been made between the shutdown and now will be credited in full once deposits are opened. Trading and withdrawal of the XRP that is not on hold is now enabled. Please allow delays on withdrawals due to moving of funds from cold storage to hot wallet. The percentage of each XRP balance that is on partial hold is 23.27%.

We can assure you that it is our intention that the partial holds will be lifted. We are looking at different options and are having a dialogue with Ripple Labs and Stellar foundation. We will try to figure out a way to solve this, one way or another. Expect regular updates.

We are terribly sorry for the situation but are asking for your understanding and patience. If you have any questions that are not answered here please don't hesitate to ask. Allow some time for us to answer as our support is under high pressure at this time.

It may be taken away from this that at least one exchange hit by this bug is operating with fractional XRP funds. How many other services operating with Ripple are effected is unknown.


  1. Brekken's write up reports that Stellar did actually patch their implementation when they were notified.  

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>