CERIAS Weekly Security Seminar - Purdue University artwork

Pedro Moreno-Sanchez, "Mind Your Credit: Assessing the Health of the Ripple Credit Network"

CERIAS Weekly Security Seminar - Purdue University

English - March 21, 2018 20:30 - 232 MB Video - ★★★★ - 6 ratings
Technology Education Courses infosec security video seminar cerias purdue information sfs research education Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Nathan Burrow, "CFIXX -- Object Type Integrity for C++"
Next Episode: Chris Reed, "Leveraging DevSecOps to Escape the Hamster Wheel of Never-ending Security Fail"

The Ripple credit network has emerged as the payment backbone
with

indisputable advantages for financial institutions and the
remittance

industry. Ripple’s market capitalization is currently third only
to

Bitcoin and Ethereum. Its path-based IOweYou (IOU) settlements
across

different currencies conceptually distinguishes the Ripple
blockchain

from the cryptocurrencies (such as Bitcoin) and makes it highly
suitable

to an orthogonal yet vast set of applications in the remittance
world

and beyond.



In this talk, I present our recent study of the structure and
evolution

of the Ripple network since its inception, and our research
results

regarding its vulnerability to attacks that harm the IOU credit of
its

wallets. We find that about 13M USD are at risk in the current
Ripple

network due to inappropriate configuration of the rippling flag
on

credit links that paves the way to undesired redistribution of
credit

across those links. Although the Ripple network has grown around a
few

highly connected hub (gateway) wallets that make the core of the
network

and provide high liquidity to users, such credit link
distribution

results in a user base of around 112,000 wallets that can be
financially

alienated by as few as 10 highly connected gateway wallets.
Indeed,

today about 4.9M USD cannot be withdrawn by their owners from the
Ripple

network due to PayRoutes, a gateway tagged as faulty by the
Ripple

community. Finally, we observe that stale exchange offers pose a
real

problem, and exchanges (market makers) have not always been
vigilant

about periodically updating their exchange offers according to
current

real-world exchange rates. For example, stale offers were used by
84

Ripple wallets to gain more than 4.5M USD from mid-July to
mid-August

2017. Our findings should prompt the Ripple community to improve
the

health of the network by educating its users on increasing
their

connectivity, and by appropriately maintaining the credit
limits,

rippling flags, and exchange offers on their IOU credit links.