Below is a copy of a security report submitted to Ripple Labs on 18th May 2015. Unfortunately, after more than three months, no fix has been released and no acknowledgment of whether the exploit is regarded as neeeding a fix has been given. Fair disclosure suggests it is better to make the exploit public after this period of time. Github links have been updated to the current code. Unfortunately JIRA links are now broken due to the bug tracker being made private.

Full disclosure: I have received numerous bounties for security and bug reports in the past and was employed as a contractor for Ripple Labs for a period of time.

tl;dr It is possible to "mine" transactions ids which give you a better chance of exploiting the state of the Ripple ledger for financial gain.

Exploiting Ripple Transaction Ordering For Fun And Profit

Ripple transactions are serializable to a custom binary format that is cryptographically hashed and then signed by one of two schemes (ECDSA and EdDSA). This signature is then inserted back into the binary serialized form which is hashed again to produce a transaction id through which it can be uniquely identified. Transactions are submitted to a rippled node, which verifies that the signature matches the public key and the hash of the public key (account id) and if the signature is good, it disseminates the transaction to the other rippled nodes operating on the same network that it knows about. These instances pass that transaction on to nodes that it did not receive it from and this flooding should result in it being considered for adoption in a ledger by the validators running in the network by the process of consensus. All non-validating nodes do actually process the transactions, but only the agreed ledger of the trusted validators counts for all intents and purposes.

Consensus requires that these transactions be ordered so that all validators can apply them in the same order and reach the same result. There is some confusion amongst the community and no conclusive documentation on this ordering. So, as is often the case, we need to read the code. First, let’s look at an example ledger that show some interesting characteristics:

SELECT at.TransId, ...> at.TxnSeq, ...> at.Account, ...> t.FromSeq ...> FROM AccountTransactions at ...> INNER JOIN Transactions t ...> ON at.Transid=t.Transid ...> AND t.FromAcct=at.Account ...> WHERE at.LedgerSeq=13304583 ...> ORDER BY at.TxnSeq; TransID TxnSeq Account FromSeq ---------------------------------------------------------------- ---------- --------------------------------- ---------- 013BDF50F3D6FE5684935D1BB63DDE5DF3994C533F87D4C5C8DCF37047C42B71 0 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 18514 03415480457F5BDDC6FDE019A9BB6E6B8DF45A1111375B08CAB64A099C8C01D1 1 rfRQfYGrs8BoyS4duDjWDH11yq5JVX46A 32642 03C181BF1A23A85521970EBF5A144E09B74FC0D6B0A9C7CC4B11EEA14C8C5794 2 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 18515 044F9A749F75545937FF37560A8EF325D2EDED25E44AD59FD3B5E01CD8D43A01 3 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 18516 079E0378F417F1380FF4BB25A5865DC749FF145B2C1FCCCD02A740EC8AC06028 4 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 18517 0829279565D00E649CF673E36FE599F6F0D421175C9FCF04CF97CACC8334F054 5 rEaWE52vbfqoHCbaidH4oE32DYfbQtw9c 144527 0999C5ACA9588F003A5676DEECA3FE7D8B02605F6706C33E6BA72CB8820F5103 6 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 18518 0BC5C5BC792A2AE9B5B5733BE017041143C5FAC902BCE80095C00DA9FDF64729 7 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 18519 0C2DD73CB47045E52F4D9F1DAAD42A9E375EC3502F7F5FF24FAA5D2EF6B34942 8 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 18520 0C67BE5505C301A4B78853BDA1A8167C0BF61EF040AC2C67278329054581DD48 9 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 18521 44FCFD01470516ABBD293C2414A4F5B61408F53B5FD8CD69EDFD2DC8024DFFF3 10 rBN3aEzHtDMPtkW2ci1PJNFxXLi4DUT1E 76770 5CCCC475B697777C251578B7360202C33052753C9114C088229FB8E110D487AF 11 rKkhd9rTV2fJR59DgsFQG67GFcqoNVgSN 10352 8C644A85749C0C5618B7D7DA7BAAFC1F9779118DBCCB3D328FC9ADA44664DD83 12 rDaeHQrL8bEbPuQGx7rkb1vCwUbPqGdDt 22113 97B42105AE8154B80B7065559DF2EE82C4F470AE3A582855FEAE635C8E5DC9EA 13 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270095 A968BBA4412E7D6358520DC3E7702079BD35DCABB67AAEA96CC9675D9EF61FD3 14 rDN91UzG9HyDyGuoNpuyCxKdw1FcFA9bA 41608 AB506718DE4CA503DAF42D562ABC407B882428F5C658D65B4605A9D21ADC6F50 15 rEaWE52vbfqoHCbaidH4oE32DYfbQtw9c 144528 AE03E8C3097CBA89F1F30A788553321BD1472E7EB7885A9545A0C185CB7E586A 16 rDN91UzG9HyDyGuoNpuyCxKdw1FcFA9bA 41609 C5837574AC71F9F12C5EA1D32D8F74CF53FC1B6FC7FEC8F2CB459AE19176DC6F 17 rEqm4WyqHqHoLYKM9fwDkpnK3Adi2yJdD 23391 C9C63127696EBBA8D4115B4BD672C64B85E7B9C6CBCB5536A2F081A2A9F0F1C0 18 rUY4bFSz4y6gsGvedGmKoLngMnvMoawej 42738 DA2A6FB112C476A264EE11A0C616B71F5F578A84AF986A9A13F79855109C5AE0 19 rGcSxmn1ibh5ZfCMAEu2iy7mnrb5nE6fb 14931 F8D9BF6ECA2083482C27A4CF45A25690427671E5928A7E740A4691BEF91A6AA5 20 rBN3aEzHtDMPtkW2ci1PJNFxXLi4DUT1E 76771 064F9CD745883CD69F2284ECE789827232EF5A339FDAF78CD260D60BA1F2EDF2 21 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270096 FA51521273C46C5984693BBB48E3421AF07D51C2D303C48365F7AB5630D689D6 22 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270097 A29C7AB2CEE16436B367DCB0C810127135DD0C5524A84854853CD67EC0CAFF58 23 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270098 9B3E3F55F0D5BA7A6FD962154E28FFE886D36E902CBD50D64DD01DA2A5DD513F 24 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270099 E47F0AC7185B9EBD920D85D15296E80E66EC559D6812D893DBA4E315BA2B3B11 25 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270100 24C80472F6716CC2B1211A665B3CF14D9775A6C74337D59C70156F4E3447AF48 26 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270101 0A66B53BBB40A5057CADAFA0FFB0AC2BAB41D2889D1DAD6178D41DD023CD2DD6 27 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270102 D44DD02D5A454F16ABB90EAE71BBB2F90549BB2764F8D12B117F646E34BAE4A9 28 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270103 0AC2D4A67D6349E2ECF1722BA6A9AA45F02195DA0EB2B4417AEBDE767A7E7EB7 29 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLE 5270104 4465966BBE18C0038FE5CEDA93E1E3D437258881D76678353D209F4841185EED 30 rDaeHQrL8bEbPuQGx7rkb1vCwUbPqGdDt 22114 578214C13AD9FFA75EBD721BA67EE33AFF0570284FEF292B207F80FAF8D31BD0 31 rEaWE52vbfqoHCbaidH4oE32DYfbQtw9c 144529 94A52C051E01A91282955DF70284288DEAE4B4555315681C52AB9CD31827D725 32 rGcSxmn1ibh5ZfCMAEu2iy7mnrb5nE6fb 14932

Transactions 0 to 20 are ordered by transaction id, with multiple accounts being intermingled, but for each account, the account sequence and transaction id have a congruent order, this being the default case for an account with a single transaction in a particular ledger.

Transactions 21 to 29 are transactions for a single account, this time with transactions being ordered by account sequence (note 5270095 though).

Transactions 30 to 32 are for accounts that already have transactions earlier on, but for which the transaction id is lexicographically before the id of one of the earlier transactions for the same account.

Confused yet?

So back to the code. It is tempting to say that the linked code is almost impossible to understand without the aid of a lot of logging. There are three places where transactions received from the network are applied to a ledger:

LedgerConsensusImp.cpp#L1009

LedgerConsensusImp.cpp#L1153

LedgerConsensusImp.cpp#L1174

But as far as I can tell it is only the application on line 1009 that actually matters for the transaction ordering of a closed and final ledger. So if we move into applyTransactions() we can see what decides that order:

LedgerConsensusImp.cpp#L1869-L1897

Iterates set in transaction id order, putting any failures of the transaction engine into retriableTransactions which is seeded by the root hash of the transaction ShaMap:

LedgerConsensusImp.cpp#L993

and ordered by a XOR-ing of the transaction root hash with the account id, by account sequence and then (irrelevantly?) transaction id.

CanonicalTXSet.cpp#L77-L86

These retriabletransactions are then iterated up to three times to apply them to the end of the ledger. In some ways it doesn’t really matter what anyone thinks the code is doing or is intended to do (the code itself makes that task very hard), only the observed behaviour matters. Which brings us on to a pair of exploits that take advantage of this observed transaction ordering behaviour.

Advantageous Arbitrage Transaction Placement

Arbitrage is the taking advantage of different prices in different markets to collect the difference minus any applicable transaction fees. It’s free money that doesn’t last for long and its effect is to remove liquidity and at the same time bring equality to markets and inform speculators of correct prices given the state of all markets. The Ripple network is ripe for arbitrage given the abundance of currencies and multiple markets for each of those currencies. The problem of finding opportunities can be speedily solved by recursively applying a FIFO queue-based Bellman Ford algorithm to a graph of the negated logarithms of the ratios of the funded tips of all order books to find negative cycles and removing the smallest offer in each cycle on each recursion. For each path apply transaction fees and see if gain, given available liquidity of the account and the path, is greater than cost. This way many, and indeed complex, paths can be found (trade secret revealed!).

However, arbitrage is a race and there are two ways to win. Find paths that no-one else has found or exploit paths before anyone else does. The author was initially motivated by the first challenge but soon also found a solution to the second. The exploit follows:

Build a list of profitable paths.

Build OfferCreate transactions for each path with tfImmediateOrCancel|tfSell flags set and append them to an ordered list.

flags set and append them to an ordered list. Set Account , PublicKey and Sequence appropriately.

, and appropriately. Set LastLedgerSequence to current ledger+1 (+2 can still work when the market is busy and submission times are universally slow).

to current ledger+1 (+2 can still work when the market is busy and submission times are universally slow). For each transaction set SourceTag to an incrementing counter (nonce) between 1 and n, sign the transaction and determine the transaction id.

to an incrementing counter (nonce) between 1 and n, sign the transaction and determine the transaction id. For first transaction select the nonce which yields the lexicographically lowest transaction id. For subsequent transactions select the nonce which yields the lowest transaction id greater than the id of the previous transaction.

Sign once more and submit transactions to the network.

The effect of the above process is that with high likelihood your transactions will be processed before those of most other accounts in a ledger, dependent on how high your value of n is. If another arbitrageur has found the same path and submitted similar transactions, they are more likely to fail in their aim of exploiting the path as maximally as you. Of course this depends on the liquidity of the path and the available funds of each arbitrageur.

Obviously there are tight time constraints to find opportunities in a ledger, sign number of trades x n and make sure all the transactions reach the validators before the next ledger closes. For this reason using a programming language with a fast native version of the signature generation scheme helps. In benchmarks, using an optimised native Ed25519 implementation, it has been found that a path of 7 transactions can be signed 256 times each with a different nonce in 360ms to “mine” a preferable transaction id. The author is certain that this benchmark could be improved. Following is an example ledger where many arbitrage bots are fighting to exploit the same opportunity. One aptly named account seems to be winning the race, but see later analysis of all accounts for some interesting observations.

SELECT at.TransId, ...> at.TxnSeq, ...> at.Account, ...> t.FromSeq ...> FROM AccountTransactions at ...> INNER JOIN Transactions t ...> ON at.Transid=t.Transid ...> AND t.FromAcct=at.Account ...> WHERE at.LedgerSeq=13432605 ...> ORDER BY at.TxnSeq; TransID TxnSeq Account FromSeq ---------------------------------------------------------------- ---------- ---------------------------------- ---------- 0014BE643C33325E2484C7AB4E86BD86C0015847199566A7CC7658DBD663E57C 0 rapido5rxPmP4YkMZZEeXSHqWefxHEkqv6 16434 0100B6409A32F45C73FA26365EC234F34B16011A8F22B2A52DA1BAD8F0D33244 1 rapido5rxPmP4YkMZZEeXSHqWefxHEkqv6 16435 03603F21BCC62C4E2E47A023B286E31A4FA78ACF5A0BB4930CACA7DEC0265734 2 rfTiZ53FW6aXcY9TFXQbZMsHQeP4h6Dgkh 395872 041436C67D9FF4504391D88620BCE1755EA7D67804D609B839CA2F88D3CF891C 3 rapido5rxPmP4YkMZZEeXSHqWefxHEkqv6 16436 042CB042F781ABFE30BC7DD3AB5EA6444DC7EF0AE389FE7CD3E52F6D9E151A83 4 rapido5rxPmP4YkMZZEeXSHqWefxHEkqv6 16437 050364F43BD4214B1A8ECDB3DA7F1EACAEE378B949AD317072C5162ABFED3FDC 5 rapido5rxPmP4YkMZZEeXSHqWefxHEkqv6 16438 06CE55196A621A0B77226D96CE2C6F648FD850F52CC09F530A7F0B7C4B39B188 6 rHv4gWtQL4PEaUij1kEyAVea7Cyn8f4aAp 17775 07C26F2A99D4AD883C3A1785442FA9402D1EC63359BE2C19EA372FD4FAEE89C4 7 rHsZHqa5oMQNL5hFm4kfLd47aEMYjPstpg 17792925 0A75C1FC810C5FDB91986E54CCFA9187D86663BBDD8249411D6F88A14DFFA140 8 r2d2iZiCcJmNL6vhUGFjs8U8BuUq6BnmT 737230 147E6661059DE6470A4D7699158595E7C81C5141FAF87A49A1392D4DA3D53AF8 9 r2d2iZiCcJmNL6vhUGFjs8U8BuUq6BnmT 737231 18EBF244FBBA4A4C25DDD6B94462724598D2C02040D04D904B2E6E5404465FEA 10 r4Ci6dk2QmwUdb8ixWn17VkwjaLJATc6zN 51 2773523702A7957343703241EDF9BA75EFBE5057B5E827ECADE650B1E3EBC7DE 11 r2d2iZiCcJmNL6vhUGFjs8U8BuUq6BnmT 737232 30150098887D26D466CABDE4B41B2309A73AA285E450CDF4972E20C2112766B9 12 rfZ4YjC4CyaKFx9cgzYNKk4E2zTXRJif26 385151 3F5B2965201784B44CAE2247E5EA7645B17F5449472D42B6BEC778EE713B7D3E 13 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574424 41AD7B7ABFEF0C00B05413A48E72095ACA4DF443A9B256A6EE388DA0D0041EE6 14 r2d2iZiCcJmNL6vhUGFjs8U8BuUq6BnmT 737233 4C0C28EFAEA3E164AF8CB101172A112DD4534262996B8424FBD7C42513F2F7E7 15 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574425 5904D28C6515772BD586CFC4425EBB25AE5D4079177F9EEAA7E166BDD3F73F54 16 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124709 5B79BBA28245DA38CE395FB07E09E17BF3CDCD8A246CAC63667262A84F4183DC 17 rHaLk9zSC1JPmbDiWAgWTgjcEacHzGbqf 217829 72E10D6FDE8A94F12BC7C8A8BBE601621B3698954C8F25E756F3E415EF77A43B 18 rpqvwJNV9skJzWH6TyJakRcMSCzn1hrBP9 2588 78124D5741A8C923BCD4A6809B1E2D09AB596F944623C97E28414164C16B26B7 19 r4rCiFc9jpMeCpKioVJUMbT1hU4kj3XiSt 244401 7B756E3D2E9F1D56927923D491FD7ED586C027AA2F34B2946799A4D0923B6E13 20 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574426 885617C50CF625BD0179F3F8F6E3923DD971A70C115AF71999753DAE05EF863C 21 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLEw 5440938 A1EE0FDBFC6CFB386C54CDA8F8A1247A6F748BC50090FB2A00929FEC33673832 22 rHaLk9zSC1JPmbDiWAgWTgjcEacHzGbqf 217830 A5E0AAD9C0433FC4E8BB59DC94FB2C6B119F54E1F1A0737BC3E31E9C3701EFAC 23 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244287 AFA03913F8C1DE800D8F0230F1C3048F8D6F81C6E9AC7ACB1F10AA59C7F70C0C 24 rfZ4YjC4CyaKFx9cgzYNKk4E2zTXRJif26 385152 B736FE19327C0E0A69B286C5FA200EA7AECDE0498E9DE8C21B70980DF0031139 25 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLEw 5440939 B85B2CFD61C26B65F13D26778C503C54E26DE204C5171C29BBB10C9220BBEB39 26 r4rCiFc9jpMeCpKioVJUMbT1hU4kj3XiSt 244402 B86DAD614BB672C0F5028DDE41E7B8C2A68985091D040060664966DA2A767441 27 rDaMQ1kD7E2xjQUBK2ghaebRFqQ5jZ1FFA 224819 C5F0C886C195FDDA7190A3D2439B67607ECB576498F28A5F34F4D1FC1BBE07B2 28 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129519 C8313039F341ECD699D8199FFD8FF9223A9548C7B187E5F77EB1F9C4F6FB21AA 29 rfTiZ53FW6aXcY9TFXQbZMsHQeP4h6Dgkh 395873 F2CB2930BF5F15B19D5AF952B4832A01905EA71A764510F8B05A9DA0A49FDD02 30 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450206 9E92505E21304EF2016401E2FE0C9197B55977BEDAC1B99D14C31FF1AF32D54E 31 r4rCiFc9jpMeCpKioVJUMbT1hU4kj3XiSt 244403 B43690DBF69479AB3D848BBA5E777DE53255D12D419CCD3F1B9D4AE8DD91D99F 32 r4rCiFc9jpMeCpKioVJUMbT1hU4kj3XiSt 244404 2731280F64FF4FC8B76280BE674D1EB38635EC7FFEC88237AB4A16CBD2A3A597 33 r4rCiFc9jpMeCpKioVJUMbT1hU4kj3XiSt 244405 16FDA2B9C38AC42D8D8C3211D49CDF358BA58180100ABBA988C77A5050A807BB 34 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574427 2E77F446844242DD0D350A8281996B1B65EC25CD6C421C4262B05D91563CE771 35 rfTiZ53FW6aXcY9TFXQbZMsHQeP4h6Dgkh 395874 82AEEB52DB86DD92A506C44F34F5AB59ED21ED06320B0E895517718D6A01CE7F 36 rfTiZ53FW6aXcY9TFXQbZMsHQeP4h6Dgkh 395875 95C7CCD5F22C1053EB1114346776C589192545FDB8F74891EA1E0A57E427F0BA 37 rfZ4YjC4CyaKFx9cgzYNKk4E2zTXRJif26 385153 68930C664F756F3447CB3E14CB52D01C2DFA72570DC4A0AD375B9291559E54B9 38 rfZ4YjC4CyaKFx9cgzYNKk4E2zTXRJif26 385154 2981CAB2C09D32D2A9640231DADF866C0708AAC7800F1CBCB5D723C306D8C3AF 39 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450207 75151DDC65E013BF736BC78148B590B3F6C9C243559D96C35386EF0312F4D928 40 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450208 896DEE1F537C2BE6FA0DF4775BEC8BD177668F1B7B34824E79BAFAAFA7CE4804 41 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450209 210AAB246C1D49C6AC36E4D7539891CD32082159269F68324B17A38843537F8D 42 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450210 D0FAE9BB1FEF7675D82F6F8D3F319F62D60A51F49E2EC14C515568876D676EA4 43 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450211 C9882626D9AF34FCA09E56A14CD7528E0C97A91A4ADC981732F6B2F92A0D792F 44 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450212 63F18D5ABF3C1ACBDDEEF988438C23AA2D919E47CBF7D601713A267B7EA4814D 45 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450213 CD486E649516E10490C6CBCCDEF3487CAFDE05DD45CEB9317B19D1B86535E669 46 rfU3YWd1TnYryvryQTQ9xwyCSqzMTbnyW6 450214 4437EABCAA7BDFF75CDC97F913A6D1EA90E59FFD032B22A4E278AEA753110BAD 47 rfCFLzNJYvvnoGHWQYACmJpTgkLUaugLEw 5440940 030F0E810C2813CA8CD9B7F240E3026D1E871CF375A8466CEE0B268F088507A5 48 r2d2iZiCcJmNL6vhUGFjs8U8BuUq6BnmT 737234 163CE9D4FD2D846C161B2BA87E145A14A96DD9CA694CF70BDDE975FF39C404CB 49 r2d2iZiCcJmNL6vhUGFjs8U8BuUq6BnmT 737235 19752025CA06FD505839733B248064F54460A4077A7BADA12633CC35EBD60DA5 50 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124710 DDF3E5C89C4D34502ECF5973AA5EB723CA6ADA3F9B6D5BA5FEFC4A1E0915C9C7 51 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124711 B0FE03C3C0E6F010680866015AEB6BC36F25FBE5B9FB983D598D4FE5BA61978B 52 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124712 07B8F5ADD3CADE1706AFC05313ECAFF10C5DF4350CD1798765EC1743E9D6B5D6 53 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124713 04374A7D4D84F0B9DFFF0F7ADFCD2C450F70F37E712BD4268CA9995F568F2FA6 54 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124714 FA19C9A89AD3AC34DE13197E62CD745E1E2D3B06C7DB036C33CF1D82AA908D17 55 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124715 06F33A4A3FDC83094A395E52264FD04C99E75711A7062BAB7ED0083FC81D8F28 56 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124716 3F7E2AC93989AB57BC30969E0284E2E1303EEA3DCD5F71483DF25069FD76F687 57 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124717 FAB4183A845C47C008CBF103DC7CD1C97B7944DE2B8530A98A04CBBF3B456567 58 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124718 F3E1173903A355797EFC4D2C8B48D6DAA5C5041112B412D6D31E4450E585F344 59 rPC4bKCkZn2uNS3AhFMcsazG9D95dJufFA 124719 AC9CFC8971B55E010217EBD164A1E3C5D3ED3A2A22EA4962219374BDD6F9ECF0 60 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574428 9BC622B074C2733B4EDFA15F62A16A20A605581CCE9623781C4D7C4C0B3C440C 61 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574429 06374FE96539789AA32C958057F4271E72B47FBBFCEA394AC46BF61F717D8E27 62 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574430 E10026EBE74A943E77C2047F048B749859BB39A7E98E28AF635E5108F340DDB4 63 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574431 FA3E5DF5EB9C677E9FD21337B1D588E4182585667D75E7C155F6B919E0CABD25 64 rPCFVxAqP2XdaPmih1ZSjmCPNxoyMiy2ne 574432 C6D8D316C8A76C2B35CAEFBD29DDC25D8A2BF381A708DE2A0FCE61FD1D491F3C 65 rfTiZ53FW6aXcY9TFXQbZMsHQeP4h6Dgkh 395876 D999CC183F9C9D591200A1E1CB5B0F7F853FF025CF7DB62E0C18230706D815E3 66 rfZ4YjC4CyaKFx9cgzYNKk4E2zTXRJif26 385155 4DFA74AE71F7003CB992D059DDE2B97410E85D1B3D496D17CD704FFEDDA6A224 67 rfZ4YjC4CyaKFx9cgzYNKk4E2zTXRJif26 385156 D9D3930B6DDF81BB4E4F724708FFBC6FF231791B25F1927BEEB23699A80A47C5 68 rfZ4YjC4CyaKFx9cgzYNKk4E2zTXRJif26 385157 4D94E196976861C3E9CFB7727E28EC70145485D868B69C08D191CAC0AAA5D9E0 69 rfZ4YjC4CyaKFx9cgzYNKk4E2zTXRJif26 385158 B21FD6EE4F006ED839E3876C5078B5B01F6A75A872A278ECF4774BF624C0A33E 70 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244288 EA9B32D8DC4C6EE45AD9FDB8078734C5AE922CF174108E7D7DA42188B2A8F9C8 71 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244289 BAC6BE3AA19ECFD73A0296B9AFFF3AAF2D685C4C85B1E0E9BBC50361EABD16EC 72 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244290 8312E8C18FC886B0097B8382DE1D175A334F4D9A7FBF6C4CB176EB8C682139D7 73 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244291 DFBCD7C92B523B23F30F0AD891C826038857F957B70F22B57E95FE68687A9B47 74 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244292 D545D29699E2C739F74EA54E47173B766594ABA92C675A5A851D10F1518D2625 75 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244293 878CCE1456A776A422CCA6D63552A58B37DC556FA2652C73088F66F4E7FFF93E 76 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244294 6741CED9D585CEADCB0B1953F3A3AA40916579E3874F4CDA5F4C11364C2CA7A9 77 rn3x9UZcrb6tEWzu7nXSMEtJsHX2tT6xuF 244295 2A1CAFBE7ACBA2876243D1090CFFC1A7EC543C6E55C0D3C911E09B4C05E7DB6D 78 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129520 818899490B360D3C83693CAE057DBE0F90589EC942B0D203FBB12D769A0EDD59 79 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129521 1E2325594547696BF988358C9CD2A31B9D997895307DCADDFCE396D4B70BA1EC 80 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129522 AB886755511D069CC086E61194EF563B69881B69320DBFCB464B17EACAEF6204 81 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129523 5DABC2F63D0B2E98310C499377CEE8FFFAC9DB2A61DFDDA7C3AD545CC1E5AB87 82 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129524 73015BF2D2991633636A380487B36DF448F281995ECEB0EAA31ABFAFDF9F0523 83 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129525 72CDB07181629CAAD7C68374AAA3E1CC0418326A9BD7C5502EE20987950CEAB2 84 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129526 1ACCAFF7797275B81BB209554005E6AA357042D488DB41ACD8FC6C32F7579F5E 85 raT8RBKLgP3WmKtCy5TWjcUrPUBEBfgJ3k 129527

To summarise and generalise the exploit, to get your trade(s) considered first in a ledger, make sure that your transaction ids are as low as possible, using a nonce (SourceTag, Memo or tiny fractional amounts on TakerPays or TakerGets), and make sure the order of the transaction ids matches the order of the account sequence field to avoid relegation to the retriabletransactions doghouse at the end of the ledger.

Large Trade Front Running

As discussed at length in the book Flash Boys, given enough relative time advantage, it is possible for one actor to discover a large trade and execute other trades in advance to take advantage of that initial trade executing, often to the disadvantage of the original trader. This is a controversial topic that has created much anger directed towards High Frequency Trading. Ripple is hardly suitable for HFT, but it does share one thing in common with HFT markets, and that is that there is latency between a trade being known to the network and it being executed and applied to a closed ledger. Given the previous exploit of being able to manipulate transaction order a slightly more terrifying exploit presents itself:

Monitor all incoming proposals for OfferCreate transactions.

Check funding of transaction against in memory, up to date record of all account balances (using ledger_data and AffectedNodes).

If OfferCreate crosses completely at least one other Offer, create an OfferCreate transaction A to fully consume the first existing Offer. Create OfferCreate transaction B to sell acquired asset at the price of the next highest Offer in the same order book minus a very small fractional amount.

Set LastLedgerSequence for A and B to be current ledger+1.

for A and B to be current ledger+1. “Mine” a transaction id for B which is less than the transaction id of the incoming proposed transaction, but as close as possible.

“Mine” a transaction id for A which is less than the transaction id of B, but as close as possible.

Submit A and then B.

The above exploit effectively lets you buy an asset and then sell it at a higher price with the assurance that it will be bought in the same ledger. The effect of this will be that the original buyer will receive less of the asset than he or she might have expected. The wider the gap between the funded tip of an order book and the next funded offer, the greater the profit. The exploit could be extended to consume multiple offers dependent on the size of the incoming proposed transaction. There are risks to the strategy, in that it possible that the incoming proposed transaction might not make it into the expected ledger (disputed process) but experimentation would probably provide more data on that likelihood. This exploit is unexploited by the author.

Risks, Mitigation And Observations

The two above exploits would very likely undermine public confidence in a market as operating “fairly”. Defining fair is a hard task, especially in a distributed context where latencies are wildly variable. There is no such thing as strict time ordering on a global scale of independent machines each with their own clock and network routes to each other. However, the current system clearly favours those with an understanding of the protocol’s signature generation scheme.

What’s a better solution? Well, strictly ordering by Account and then Sequence with the Account order seeded by a root hash of all other transactions to be considered makes a lot of sense, as any new transactions changes the order for all other transactions and is very hard to know for certain unless your transaction is the last one to be submitted to the network in time for that particular ledger. Why this isn’t the case already is a source of confusion. Perhaps the end of ledger “reshuffling” is an attempt to solve the order of dependent transactions, for situations such as a funding payment for an account and that new account creating an Offer in the same ledger. Disallowing edge case scenarios like that would certainly simplify things.

The key observation and suggestion I’d like to make is that it is perfectly reasonable for a trader to want to make a series of transactions which are dependent on the outcome of the previous one, to take advantage of opportunities such as arbitrage. However, the current unpredictability of which transactions will succeed and which will fail means that there is a high chance of getting stuck with an undesired asset, which is why this exploit is so useful. It vastly increases the chances of success of all transactions based on a fixed model of the previous ledger. However, it would be preferable and more “fair” for the chain of transactions to always all succeed or all fail, and the chance of success is based on a lottery of account ordering. To achieve this requires a unit of atomicity greater than a single transaction.

Payments, on paper, are meant to offer this. But they don’t have much flexibility at all. As far as I have been able to determine, creating custom paths which hop between more than two order books is impossible. The condition of using an account with rippling enabled as an “in-between” stage is nonsensical when the trader does not at any point want to hold the “in-between” asset. It seems like an awful lot of complexity was added to facilitate the idea of temporary credit in payments, but is poorly understood, hardly documented and used by very few people and results in not very much gain. Study of the ledger history shows that Dan Miller/pigeons is about the only person who really tries to make use of it.

What would be much more ideal is being able to submit a batch of OfferCreate transactions which either all succeed or all fail. Either that, or Payments are modified to support circular paths along up to say 16 order books without the need for rippling enabled intermediaries. Payments are better in the sense that they have support for the flag combination tfLimitQuality|tfPartialPayment|tfNoDirectRipple , which is exactly what an arbitrageur would want if it actually worked for a circular path!

There is some discussion here: RIPD-829 but the explanation doesn’t really add up. If the author can calculate a sequence of offer amounts that take the maximum available liquidity from a chain of existing offers, why can’t rippled? The only challenge for the arbitrageur should be then to find the best possible paths, initial input amounts and minimum expected gain (sendmax/amount ratio) and see if anyone else’s payment with the same path gets picked first by virtue of the account ordering. An extra benefit of this would be much reduced transaction size, many OfferCreates reduced to a single Payment.

In The Wild

The author has demonstrated that the transaction ordering can be fixed with two accounts. Initially roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ used ECDSA signatures to “spin/mine” transaction ids that ensured best placement in a ledger to exploit arbitrage opportunities. It soon became apparent that EdDSA would offer even faster creation of desired transaction ids and so rapido5rxPmP4YkMZZEeXSHqWefxHEkqv6 made use of these features:

ed25519.go signature.go

Within the space of a few weeks around 900 XRP has been turned into 57,737 XRP, “unfairly” displacing other arbitrageurs’ chances of success in the process. The next obvious question is whether this exploit is known to others. The answer is yes:

SELECT MIN(LedgerSeq),MAX(LedgerSeq) FROM Transactions; MIN(LedgerSeq) MAX(LedgerSeq) -------------- -------------- 13243962 13483930 Unfortunately not much history... SELECT Account, SUM(Zero), SUM(NotZero), COUNT(*), CAST(SUM(Zero) AS REAL)/CAST (COUNT(*) AS REAL)*100 As Percent FROM( SELECT FromAcct AS Account, CASE WHEN SUBSTR(Transid,1,1)='0' THEN 1 ELSE 0 END AS Zero, CASE WHEN SUBSTR(Transid,1,1)='0' THEN 0 ELSE 1 END AS NotZero FROM Transactions ) GROUP BY Account HAVING COUNT(*)>32 ORDER BY Percent DESC LIMIT 30; Account SUM(Zero) SUM(NotZero) COUNT(*) Percent ---------------------------------- ---------- ------------ ---------- ---------------- rapido5rxPmP4YkMZZEeXSHqWefxHEkqv6 17924 2 17926 99.9888430213098 roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ 6512 67 6579 98.9816081471348 r3pFpfYfCoj9Sm5cpRwc4iD4mFPoF9HDVf 36 8 44 81.8181818181818 r2d2iZiCcJmNL6vhUGFjs8U8BuUq6BnmT 1195 3604 4799 24.9010210460513 rBApdygJewirS7hmF3rsSDfN9VvLiJ4uM8 6 28 34 17.6470588235294 rwzNnh868djfPPsN77GYwH8xYbiAXoKW3E 7 34 41 17.0731707317073 r93NwTGcTMXVAJmujHHYihezSxPLuRym5M 5 29 34 14.7058823529412 r4PowrZ7KZw83oWDYxzY82ht2kgDmFUpB7 8 48 56 14.2857142857143 raL1xU5rggQZ8cw1MUhiVRF7NzNsy7UyLB 9 55 64 14.0625 r42Ccnr9HS77UciZ8kkUe3dRsY7tXqm5M3 6 37 43 13.953488372093 rhotcWYdfn6qxhVMbPKGDF3XCKqwXar5J4 5 31 36 13.8888888888889 rHDQcQNWTV1jrBNyLJoeYDiL7Z9CbPyjLF 6 38 44 13.6363636363636 rBRXcf7BYs2CN7GfAAXjLQPEh7d46BP9RE 5 32 37 13.5135135135135 rUgsWsFYsLJwK1YCJHqofX9Sd9oVA6mgMe 5 34 39 12.8205128205128 rJRi8WW24gt9X85PHAxfWNPCizMMhqUQwg 15 106 121 12.396694214876 ra94ZuJRF8yt6Yv7GvwDoNcdaQKV5zLhnZ 7 50 57 12.280701754386 rrsGUZnvUE5jiG1jw1YpSLz8fPz7QNYBNL 5 36 41 12.1951219512195 r9JvBskaY32NQxHjEz63eJXfx9tQrSdrdr 12 88 100 12.0 rhWFasnjCuk2unVvAmqtArhYux6MNb1FUY 9 66 75 12.0 rHsZHqa5oMQNL5hFm4kfLd47aEMYjPstpg 29710 218477 248187 11.9708123310246 rHJ7KLBwbGL1Nxv15zWucqMsKDs2793cRe 5 37 42 11.9047619047619 r3cw8TWbYnsJuMKs5jnLUzsq9NBNo41E2Y 6 45 51 11.7647058823529 rhBUWH1rM8EzY3E1CN186CkTZ2KPv7pvke 8 61 69 11.5942028985507 rH5vgPUmMU5yyroKMEYUqrjjZBjrBU91hV 6 46 52 11.5384615384615 r47GLMFhJPjshD65J8TJSWZJzM3jPHcJdZ 7 54 61 11.4754098360656 rBAfbNiNHNrdbSPrxy28S5C3oZsXkgWbVy 4 31 35 11.4285714285714 raRt2xRmnnLGWYXD5VqtqKfuy4KM324Q3g 5 39 44 11.3636363636364 r429uRzCoM48x9JFaqyefwKJ9GQNrnceRb 24 192 216 11.1111111111111 rEwy79WnbBb2TxERquM1sotKUy5TLkeVZQ 6 48 54 11.1111111111111 rK3hATVGb61XjjUFTG1q9UUAzAoDufhmoo 8 64 72 11.1111111111111

Accounts with small transaction counts would be expected to turn up in a normal distribution of the transaction id front nibble, the expected median percentage being 6.25%. This query would be much more conclusive with more history (and even better in a real SQL database that has UNHEX()) but the accounts that are definitely “spinning” to some degree on transaction ids include:

rapido5rxPmP4YkMZZEeXSHqWefxHEkqv6 Author’s EdDSA arbitrage bot roverTeW1kfwHb9WZyoJW9M6sP4nC6BuJ Author’s ECDSA arbitrage bot r3pFpfYfCoj9Sm5cpRwc4iD4mFPoF9HDVf Possible trade front-runner r2d2iZiCcJmNL6vhUGFjs8U8BuUq6BnmT Another arbitrage bot rHsZHqa5oMQNL5hFm4kfLd47aEMYjPstpg One of the most frequently appearing market-making bots

Conclusion

To ensure confidence in the Ripple network operating fairly the above described two exploits should be made impossible by fixing the transaction ordering to prevent unfair transaction placement for canny operators. Perversely, the desire to save energy by not using proof of work to agree on ledger outcomes has been countermanded by an exploit that uses the same concepts to “mine” transaction ids.