CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Mind Your Credit: Assessing the Health of the Ripple Credit Network

Pedro Moreno-Sanchez - Purdue University

Mar 21, 2018


The Ripple credit network has emerged as the payment backbone with
indisputable advantages for financial institutions and the remittance
industry. Ripple’s market capitalization is currently third only to
Bitcoin and Ethereum. Its path-based IOweYou (IOU) settlements across
different currencies conceptually distinguishes the Ripple blockchain
from the cryptocurrencies (such as Bitcoin) and makes it highly suitable
to an orthogonal yet vast set of applications in the remittance world
and beyond.

In this talk, I present our recent study of the structure and evolution
of the Ripple network since its inception, and our research results
regarding its vulnerability to attacks that harm the IOU credit of its
wallets. We find that about 13M USD are at risk in the current Ripple
network due to inappropriate configuration of the rippling flag on
credit links that paves the way to undesired redistribution of credit
across those links. Although the Ripple network has grown around a few
highly connected hub (gateway) wallets that make the core of the network
and provide high liquidity to users, such credit link distribution
results in a user base of around 112,000 wallets that can be financially
alienated by as few as 10 highly connected gateway wallets. Indeed,
today about 4.9M USD cannot be withdrawn by their owners from the Ripple
network due to PayRoutes, a gateway tagged as faulty by the Ripple
community. Finally, we observe that stale exchange offers pose a real
problem, and exchanges (market makers) have not always been vigilant
about periodically updating their exchange offers according to current
real-world exchange rates. For example, stale offers were used by 84
Ripple wallets to gain more than 4.5M USD from mid-July to mid-August
2017. Our findings should prompt the Ripple community to improve the
health of the network by educating its users on increasing their
connectivity, and by appropriately maintaining the credit limits,
rippling flags, and exchange offers on their IOU credit links.

About the Speaker

Pedro Moreno-Sanchez is a PhD student in the Department of Computer
Science at Purdue University. His advisor is Prof. Aniket Kate. His
current research focuses on the areas of security, privacy and
reliability of credit network based systems such as Ripple. Previously,
he also worked on network access control in distributed scenarios such
as eduroam.

Before moving to Purdue University in August 2015, he started his PhD
studies at Saarland University in 2013 under the supervision of Prof.
Aniket Kate. Previously, he was an intern researcher at IBM Research -
Zurich (Switzerland) in 2017 under the supervision of Christian Cachin;
at Ripple (USA) in 2016 under the supervision of Stefan Thomas; and at
Philips Research Europe (The Netherlands) under the supervision of Oscar
Garcia-Morchon and Rafael Marin-Lopez. He received his bachelors and
masters from University of Murcia (Spain) in 2011 and 2013 respectively.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...


The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.