Beaxy, a cryptocurrency exchange entered the competitive crypto market only in May 2019 and has been introduced to Partial Payment option on August 13, however through an XRP exploit. The Partial Payment being exploited has been recognized by the XRP ecosystem since 2014 when it claimed its first victim JustCoin.
JustCoin, a digital currency exchange on October 2014 reported a massive move of crypto to and from the exchange. The website in a state of panic was immediately shut down and reached out to Stellar Foundation and Ripple labs, to report this and to find out whether or not other exchanges had faced the same. Stellar was quick to remove the “partial payments” from their system, whereas Ripple’s RippleTrade, that was impacted by the exploit, along with several other exchanges at the time, reportedly “patched” the issue. The foundation at the time explained “partial payments” as:
“As it exists in the Ripple code base, partial payments allow a user to send a small part of a payment rather than the entire payment. For example, the sender could tell the anchor that s/he was sending 10 BTC while actually only sending .0001 BTC. This feature is rarely, if ever, used in practice. “
Generally, in such cases, the anchor must check the “amount” option in order to understand how much crypto they received, however, in case of partial payment transactions, the “delivered amount” must be checked. Thus, a lack of knowledge of this setting can cause a loss of funds. Due to the lack of transaction flag for such payments, the exchanges did not realize the discrepancy at first.
After JustCoin and other exchanges, Beaxy suffered the same incident five years later. Being new in the business, the exchange may not have been aware of this feature, but this ignorance costed them to trade at a 62% discount on its exchange and was first identified as an unusually “high volume activity on XRP-BTC”, due to which it halted transactions on all trading activity and withdrawals.
Soon Beaxy informed of being targeted with an XRP partial payment exploit along with few other exchanges, which have not been identified. The exchange quickly fixed this problem and rolled back relevant trades to the moment the problem was identified and said:
“Additionally, we will credit any funds misappropriated during this time. This process will take some time to complete, bear with us. During this time the exchange will be open, but activities will be frozen as we work on reverting to the previous state.”
The exchange also identified the participants in this exploit due to KYC and was pursuing actions against them.