tl;dr
Peter Todd, a leading Canadian Bitcoin developer and top Satoshi Nakamoto candidate, criticized Ripple after a backdoor was found in the JavaScript library for the XRP Ledger (XRPL). The vulnerability, initially warned about by Todd a decade ago, allows attackers to steal private keys by sending the...
Peter Todd, a leading Canadian Bitcoin developer and prominent Satoshi Nakamoto candidate, has criticized Ripple after a backdoor was discovered in the JavaScript library of the XRP Ledger (XRPL). This vulnerability, which Todd had warned about a decade ago, allows attackers to steal private keys by sending them to a suspicious domain.
Ripple CTO David Schwartz confirmed the presence of malicious code in compromised versions of the XRPL software development kit (SDK), acknowledging that the security warning raised by Todd was valid at the time it was issued in February. The exploit enables attackers to capture private keys, posing a serious threat to users relying on the compromised SDK.
Todd previously highlighted Ripple’s lack of cryptographic PGP signatures on their code, warning that this absence could facilitate malicious code injection. Ironically, this risk materialized with a recent NPM compromise that introduced the backdoor into the XRPL JavaScript library.
Despite his critiques of Ripple, Todd admitted that his own Python library similarly lacks PGP signatures due to the Python Package Index (PyPi) discontinuing support for these signatures. He blamed this on broader industry incompetence, stating, “PyPi made the idiotic decision to phase out PGP signatures,” leaving developers like himself without viable options to secure their code distribution.
This episode spotlights ongoing security challenges in the cryptocurrency ecosystem, emphasizing the critical role of code signing and secure software distribution methods. As the industry evolves, it raises important questions about best practices for protecting users against stealthy attacks hidden within essential development tools.