The biggest threat to cryptocurrency holders is bad code, as the latest exchange hack has shown. Beaxy, a recently launched exchange based in Nevis and St Kitts, will roll back a number of trades after falling victim to a little-known exploit in the XRP Ledger.
The exploit was discovered after a coordinated sell-off pushed XRP prices to forty percent below the wider market.
The orchestrated XRP dump is especially remarkable, in that it was conducted on a fully KYC compliant exchange and brings attention to some of the tradeoffs in exchange compliance.
But the hackers may yet find something unpleasant at the bottom of their bucket of XRP…
How XRP Hit The Bargain Basement on Beaxy
XRP, launched by the founders of Ripple Labs, is the third-largest cryptocurrency by market capitalization, and worth close to $13 billion at press time. Manipulating the price of a currency with such a high market cap can only be achieved by targeting a minor exchange with low trading volumes.
That is precisely what the alleged perpetrators achieved. They pulled off the attack using the partial payment exploit, which can be achieved when the:
Amount field of a Payment is always the full amount delivered… This exploit can be used against gateways, exchanges, or merchants as long as those institutions’ software does not process partial payments correctly.”- XRP Ledger Dev Portal
In addition to using tighter code, the XRP Dev Portal proposes two additional mitigations. One is using extra “sanity checks” to ensure that the amount sent is equal to the amount received. The other is to “Follow ‘Know Your Customer’ guidelines and strictly verify your customers’ identities,” in order to block malicious users or pursue them in the legal arena.
While the perpetrators apparently succeeded in exploiting Beaxy’s code, they didn’t account for the fact that Beaxy is KYC compliant. The exchange has since promised to pursue them:
In addition, KYC has allowed us to identify participants in this incident & pursue action against them. We feel confident we can reclaim misplaced funds. To impacted users, thanks for your support!
— Beaxy (@BeaxyExchange) August 13, 2019
After all, it knows who they are. Beaxy has further assured users that it will ‘roll back’ the malicious trades and compensate affected users:
Quick update. Exchanges were targeted with an $XRP partial payment exploit today. Beaxy was also targeted in this. We’ve identified and applied a fix. To move forward, we are rolling back relevant trades on the exchange to the moment it was identified.
— Beaxy (@BeaxyExchange) August 13, 2019
The exchange remains frozen in the interim.
Crypto Briefing reached out to Beaxy to ascertain the countries of origin of the people who sold off XRP. As of press time, we are yet to hear back from the exchange.
The incident points to both the pros and cons of KYC/AML procedures among exchanges and crypto processors. BitPay recently implemented KYC requirements for users making particular transactions of a significant size.
Implementing KYC keeps exchanges and crypto services on the right side of the law and is expanding across the sector. In the case of the Beaxy incident, it could also reveal who was behind the manipulation on their exchange.
KYC has become unpopular among crypto users, but the benefits it can bring to the industry in situations such as these are positive. The sharp blade of KYC rules cuts both ways.
Beaxy in Focus For Hefty Listing Fees
Beaxy has recently faced scrutiny over its listing fees. The exchange was forced to issue a broad statement on their listing fee policies, in which they argue that their listing fees are both ‘fair and transparent’.
They failed to mention they are also high, especially if measured in the context of Beaxy’s trading volume. On-chain assets, (i.e. tokens without their own blockchain) cost almost $12,000 to list on the exchange. Custom blockchains cost close to $18,000.
24-hour trading volume on the exchange, according to CoinMarketCap at press time, was just over $150 thousand. Three-quarters of that volume is between BTC and BXY, Beaxy’s native token.
Beaxy is not the only exchange to charge a listing fee, and many marketplaces have been accused of running on a ‘pay-to-play’ model. But, given the overhead costs of exchange security and KYC, those high fees might just be the price of keeping customers’ funds safe.
The incident and Beaxy’s listing fees are likely to prompt calls for more decentralized exchanges in the industry. With Binance DEX currently being the most liquid at daily volumes around $3 million, the role of DEXs remains limited.
Beaxy’s XRP incident shows, however, that a well-oiled DEX may be a safer trading location than a small, centralized exchange. It may also be more affordable for projects seeking to list coins.