Beaxy had a week to prepare to be hacked. They had longer than that, really. Probably long before the idea for the exchange was conceived, Ripple was warning people about this hack. The XRP Partial Payment transaction that was sent from one of the eventual hacker wallets to Beaxy’s XRP wallet a full week before the hack though, it should’ve been caught and the whole thing avoided. But it wasn’t, and a week later they were sitting ducks.
Disclaimer — I’ve never traded on Beaxy or owned a BXY token. I don’t work for any exchange. I kind of have a knack for sniffing out frauds in the crypto space. I enjoy investigative journalism, and I’m trying to write more of it and eventually land a writing gig. FWIW, my only motivations are content creation and shedding light on the incompetence of an exchange with which people entrust their funds.
Another XRP exchange hack… Why hasn’t XRP fixed this “Partial Payments” bug that exchanges keep getting hacked with? What even is it? To understand what a Partial Payment is we’ll refer to GB-2014–06 Gateway Advisory: Partial Payment Flag (PDF), issued October 17th, 2014 and widely available online since:
“Partial payments are a feature. Without this feature returning funds would be extremely cumbersome, perhaps requiring multiple attempts at guessing the market rate and making smaller payments to return as much as possible to the sender.”
Hmm… a feature, not a bug… XRP Dev Hub says partial payments are useful for returning payments without incurring additional costs to oneself. You can read more about it here if you’re so inclined. We could argue all day about the usefulness of Partial Payments, whether they should exist or not, but it really doesn’t matter — because they do.
How is this Partial Payments feature used to exploit an exchange like Beaxy? There’s no better explanation than the one in the Partial Payments Exploit section on the XRP Dev Portal, available to anyone with internet access — and specifically there as a resource for businesses or exchanges, like Beaxy, who integrate with the XRP Ledger.
The August 12th Beaxy hack played out exactly like the above exploit scenario the XRP Dev Hub warns about:
- Hacker sent a series of payment transactions from two XRP addresses to two Beaxy accounts. These transactions had large Amount fields and had the tfPartialPayment flag enabled.
- The partial payments succeeded (result code: tesSUCCESS) but actually delivered a very small amount of XRP.
- Beaxy read the transaction’s Amount field without looking at the Flags field or delivered_amount metadata field.
- Beaxy credited the hacker in the exchange’s own ledger, for the full Amount, despite only receiving a much smaller delivered_amount in the XRP Ledger.
- The hacker converted most of the balance to bitcoin by market selling the credited XRP on Beaxy’s XRP-BTC market, and withdrew that BTC as well as most of the “real” XRP on the exchange, all before Beaxy figured out what had happened and halted trading and withdrawals.
All an exchange like Beaxy has to do to avoid being exploited by someone using XRP’s Partial Payments feature is to “use the delivered_amount metadata field, not the Amount field” when determining how much to credit an account that receives an XRP deposit. Seems simple enough.
Before the Hack
First — the part Beaxy hasn’t mentioned. On 08/05/2019 at 14:23 UTC — a full week before the hack — one of the two XRP wallets used in the hack, raz97dHvnyBcnYTbXGYxhV8bGyr1aPrE5w, sent a test Partial Payment transaction to a Beaxy account (with DT: 132491199) that was successful. The payment amount lists 1,000 XRP, but only 0.005993 XRP were delivered.
This address (and many connected addresses) spam exchanges with these Partial Payment transactions on an almost daily basis in search of vulnerable exchanges. It’s possible the hacker didn’t realize this tx was a success for a few days, or (more likely) he did, and spent the next week coordinating an attack — opening a couple new Beaxy accounts, paying a couple hundred bucks to someone on Telegram for KYC, accessing Beaxy Trading APIs, etc.
Beaxy apparently didn’t notice the transaction. In the 2014 Ripple Advisory, as well as on XRP Dev Hub, Ripple/XRP recommends the following auditing practices -
Had they followed the recommended auditing practices and caught the discrepancy between funds that came in and funds credited to user accounts, Beaxy would’ve had about a week to change the wallet parameters and prevent user funds from being stolen. They could have at least taken the wallet offline had they had an audit system, and user funds would not have been put at risk.
Here’s how it happened —
(XRP selloff begins in Beaxy XRP-BTC market)
*presumably sold for BTC (10k XRP * 0.00002640 BTC = 0.264 BTC)
**presumably sold for BTC (101k XRP * 0.00002640 BTC = 2.6664 BTC)
8/12/2019 23:00 — Beaxy announces trading halt due to unusually high XRP-BTC volume
Two hours and four minutes from the first Partial Payment deposit to the last BTC withdrawal. Total take of 43.64253571 BTC and 111,000 XRP, a total USD value of around $570,000 on the day of the hack.
They weren’t “hacked”
From the beginning, the Beaxy team has claimed they weren’t hacked. They contend the Partial Payment exploits occurred as a result of an issue with XRP, not Beaxy. They attribute it to Ripple not “openly” documenting the issue, having “unclear” dev documentation, not being “vocal,” even “hush hush” about it.
This simply isn’t the case. Partial Payments, and specifically the potential for bad actors to steal from exchanges by using them, is well-documented (here, here, here, here and here, among other places), widely known, and something Ripple/XRP have been warning people about since 2014.
By team member “Bitcoin” Bay Abbot’s own definition of a hack — “a vulnerability in the core exchange” — Beaxy was hacked. They didn’t configure their XRP wallet per the specifications given by Ripple/XRP, and they didn’t follow the recommended auditing practices. Their own incompetence made them vulnerable, they were hacked, and user funds were stolen.
Painfully slow to react
Beaxy reacted to the hack excruciatingly slow. They seemed confused, completely unprepared, and like they had no systems in place to shut down or mitigate the damage from an active attack.
Over three hours after the hack began, with bitcoin withdrawals & deposits still not shut down, discord users explain to Beaxy team members the obvious — that the hacker wants to withdraw BTC, and they need to shut down BTC withdrawals.
Amidst the hack, without knowing the extent to which the exchange was compromised, Beaxy team members encourage a user to deposit FTM for the upcoming FTM deposit contest.
I can’t help but imagine BitcoinBay® typing this on mobile, running around screaming the sky is falling. “It’s happening all over the place” he says, and posts a Whale Alert tweet about a large XRP transfer to Poloniex. This was just a large XRP transfer though, not a hack. This XRP came from Poloniex in February, and was now being sent back. It was not, in fact, happening all over the place.
It took almost four hours from the first XRP Partial Payment transaction for the exchange to be shut down. They closed XRP withdrawals but left BTC withdrawals open. They advised users, whose funds were already half gone, to continue depositing BTC and FTM while the hack was ongoing. The exchange’s BTC wallet balance went from about 55 BTC to 20 BTC in a couple of hours, almost 65% of the BTC on the exchange, withdrawn to two addresses, without setting off any alarms. Profoundly amateur.
What’s the damage?
As we now know from this analysis, Beaxy lost 43.64253571 BTC and 111,000 XRP to the hacker. For some reason, though, they won’t tell us that.
Initially, hours after the hack, they told us that through their KYC they’ve identified the hacker and are confident they can reclaim misplaced (read: stolen) funds. As if… The Hacker… Used his own ID.
A couple days later they told us they’ll use company funds to replace the stolen funds. Despite being asked many times in the discord how much was lost, no one from Beaxy will give any numbers.
Beaxy team members would only say that on Monday (8/19) they would announce the financial impact of the hack.
On Monday, Beaxy sent an email to users entitled “We’ve got your back.” Upon request it was posted to the support site as well. Sandwiched between three giveaway announcements (a Tesla, a new deposit bonus & an increased referral bonus) and three new listing announcements (VIDT, GO & FTM — all paired with BTC) is a brief section about the hack (or as they describe it — “deposit spoofing”). Regarding the funds, they say —
“We elected to do an exchange rollback and reimburse users in full from company funds to rectify our mistake. Full exchange functionality has resumed and the exchange was reverted back to 2019/08/12 19:23:11 UTC — immediately before any suspicious activity was logged.”
Still no numbers, just that they’ve elected to reimburse users from company funds.
So where are the funds?
When Monday’s final update was posted, the exchange’s BTC balance was less than 9 BTC. As of posting this article to medium the balance is under 2.5 BTC. There doesn’t appear to be an associated cold wallet. In the most recent 50 transactions there are only three repeated inputs (none for more than 3.2 BTC and none from multi-sig addresses) and there are no repeated outputs. Almost all incoming BTC since the hack appears to come from individual user deposits.
In a trust, but verify world, Beaxy isn’t giving us much to go on. They tout a supposed record of “transparency,” while at the same time telling users they were not hacked, refusing to say how much was lost, claiming funds have been reimbursed, but providing no proof. All the available evidence suggests otherwise. Their incompetence configuring their XRP wallet is concerning, and so is their response to an active hack. If they truly value transparency, Beaxy has some questions to answer. If I were a user, a BXY token holder, or a community member, I’d sure be asking some.