Crypto exchange Beaxy lost 44 bitcoins and 111,000 XRP, worth $570,000, during its “partial payments” exploit two weeks ago, according to John Galt, an analyst at cryptocurrency intelligence firm SharkCIA.
The partial payments exploit made use of a feature of the XRP blockchain that was incorrectly set up by the exchange—allowing the hackers to be awarded more funds than they deposited on the exchange.
Galt also noted that the funds in the exchange’s main Bitcoin wallet are down 95 percent, suggesting it could be running out of money, unless it has other reserves. And, currently, the exchange is offering incentives for users to bring more money into the exchange.
The partial payments exploit happened due to the exchange’s faulty set-up of the cryptocurrency XRP. It used the wrong parameters when registering whether a transaction had been paid in full, or in part. This allowed hackers to convince the exchange’s system that millions of XRP had been deposited when just a tiny amount had actually been sent to the platform. As a result, the exchange credited the hackers with a large amount of XRP that they hadn’t paid for. The hackers then sold this XRP cheaply for Bitcoin, and withdrew the Bitcoin from the exchange.
Beaxy has not confirmed how much money was stolen during the hack. But Galt’s analysis presents a timeline of the events, showing the relevant transactions from the initial partial XRP payments to the bitcoins being siphoned off the exchange. The exchange has not confirmed his analysis.
But while the exchange points the finger at Ripple, Galt claims that Beaxy itself was at fault. (We have reached out to Beaxy and will update this article if we hear back.)
For a start, Galt says that Beaxy claimed that the problem was little known and that Ripple hadn’t been forthcoming about it. Yet this is the same exploit that had been used on 59 other exchanges. There are multiple records online of how the partial payments work, how other exchanges have been hacked and how to avoid such a scenario, he points out.
Second, Galt argues that the exchange erred in not shutting off Bitcoin withdrawals, failing to recognize that the funds had been swapped from XRP to Bitcoin. He posted screenshots of affected users urging the exchange to shut off Bitcoin withdrawals, to no avail.
Third, while Beaxy claims it will simply use the KYC documents supposedly provided by the hacker to recover the funds, as Decrypt suggested when we reported the hack, it will likely be a dead end. Galt pointed to a tweet showing how easy—and cheap—it is to pay for someone else to fulfil the KYC requirements.
All of this suggests an exchange that’s on wobbly legs. Beaxy has promised to cover the lost funds out of its own pocket but, so far, it hasn’t done so. It has offered incentives for new users to sign up. A user trading over $5,000 in volume is automatically entered into a draw to win a free Tesla, and free tokens are offered “for every dollar deposited to Beaxy.” Referral bonuses have also been increased.
The exchange may simply be trying to draw people back—or it might be in worse trouble than we think.