Skip to Content

Here’s the Biggest Security Threat to the World’s Third-Largest Cryptocurrency

Transactions on the Ripple cryptocurrency network are entirely transparent. That clearly reveals the network’s strength—and its weaknesses.

“Six degrees of separation” is a phrase that sums up the social network phenomenon. The idea is that anybody on Earth can link themselves to anybody else in only six jumps. Network scientists have long studied this counterintuitive “small world” phenomenon, using it to send postcards and e-mails around the world.

At the core of these networks are the links that humans develop with each other and the fact that links between friends and associates are much stronger than links between strangers.

And that raises an interesting possibility: instead of sending postcards or e-mails via these trusted links, why not use them to send money? The idea is that while we might be unwilling to make a deal with somebody we do not know, we might instead be willing to make a deal a friend, who makes a deal with their friend, and so on until the funds reach the intended recipient.

It turns out that just such a financial network already exists in the form of Ripple. This is a payments network in which users make connections to other users they trust and agree to allow the transfer of funds between them.

But a key feature of this network is that when a user has connections to two others, the amounts entrusted to each can vary while the total is kept constant. This creates liquidity: it allows funds to travel, or ripple, around the network. And the user receives a small payment for acting as the intermediary.

Ripple’s big selling point is the low cost of making a transaction—users pay a small fee to send money but significantly less than with other forms of money transfer.

Ripple has become an important player in the new world of cryptocurrencies. A wide range of banks and other financial institutions have begun to play with it along with numerous individuals. The result is that Ripple’s market capitalization is now third in the cryptocurrency world, behind Bitcoin and Ethereum.

Interestingly, all the transactions on Ripple are recorded securely using cryptographic methods and cross-checked regularly. And the transactions are entirely transparent, which opens the way for detailed analysis of the network and its properties.

Enter Pedro Moreno-Sanchez and pals at Purdue University in West Lafayette, Indiana. These guys have used this openness to study the structure of network for the first time and how it has evolved since it was launched in 2013. More interesting, though, is their analysis of the vulnerabilities the network has developed.

Ripple forms a credit network in which users—or their ripple wallets—are nodes and the links between them represent the amount of money each owes the other. So the links have a weight and a direction. Moreno-Sanchez and co downloaded the data associated with the wallets and credit links at the end of each year from 2013 to 2016.

The analysis makes for interesting reading. At the end of 2016, the Ripple network consisted of 100,000 wallets and 170,000 credit links. The network has grown considerably—by a factor of 6.6 since 2103 in terms of the number of wallets.

In that time, the network structure has remained remarkably constant. In 2013 each wallet was connected on average to 3.12 others. In 2016 that number was 3.53.

The team also studied the most common pattern of connections. Some nodes can act like banks by holding real funds and giving the owners credit on the network (and indeed many are banks in the physical world). These are called gateways, and the typical network structure is that wallets connect to gateways (rather than to each other).

There is also a broader community structure, which is geographically determined. This is because users must pass certain types of legal identity tests to link to a gateway, and these are usually based on locally available documents such as passports, etc. So users in China tend to be connected to other users and gateways in China, similarly for users in Europe and more recently, those in Israel, which has recently become one of the biggest communities in the network.

But Moreno-Sanchez and co have also studied the network’s vulnerabilities, and these are more concerning. Small-world networks are known to be highly resilient to attack. That’s because the network survives more or less intact when important nodes are removed because there is usually some other way to move through the network.

So how vulnerable is the Ripple network? One important measure of a financial system’s health is its liquidity—how easy it is to make a transaction. By this metric, Ripple scores well. The core of the network—the gateways, many of which are conventional financial institutions—is highly liquid.

The team also simulated the effect of removing important nodes, such as gateways from the network. This simulates a malicious attack of some kind or a broader financial meltdown. In this case, wallets connected only to these gateways become isolated without access to their funds or to other wallets.

A significant number of wallets are vulnerable in this way. “Around 50,000 wallets are highly vulnerable to disruption by as few as 10 wallets,” say Moreno-Sanchez and co. “And their credit with the gateways (a total of 14,338,105 USD) is at risk.”

That’s a significant amount of money. The solution is simple—these wallets need to become more connected. “Users can be affected by the disruption of a handful of nodes, and hence are advised to add credit links,” say the team.

That’s interesting work that shows the resilience of this kind of network as well as a weakness. But that shouldn’t necessarily be thought of as a negative thing. The ability to identify weaknesses is the first step in correcting them.

Indeed, the inability to detect weaknesses is one of the main problems associated with the conventional world of banking. For that reason, Ripple and other networks like it surely have a promising future.

Ref: Mind Your Credit: Assessing the Health of the Ripple Credit Network

Keep Reading

Most Popular

It’s time to retire the term “user”

The proliferation of AI means we need a new word.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

Sam Altman says helpful agents are poised to become AI’s killer function

Open AI’s CEO says we won’t need new hardware or lots more training data to get there.

A brief, weird history of brainwashing

L. Ron Hubbard, Operation Midnight Climax, and stochastic terrorism—the race for mind control changed America forever.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.