Peter Todd’s Criticism of Ripple
In a recent statement on social media, Peter Todd, a leading Canadian developer in the Bitcoin community and a notable suspect in the identity of Satoshi Nakamoto as highlighted in a 2024 HBO documentary, expressed strong criticism toward Ripple. His comments came after a significant security flaw, described as a backdoor, was discovered in the JavaScript library employed by the XRP Ledger (XRPL). This alarming issue echoes warnings Todd issued nearly a decade ago regarding the potential for such vulnerabilities.
Security Flaw Concerns
According to U.Today, David Schwartz, Ripple’s Chief Technology Officer, has sounded the alarm about the malicious code found by Aikido Security within the library. This exploit enables the transmission of private keys to an untrustworthy domain, posing a risk of theft for those utilizing affected versions of the XRPL software development kit (SDK).
Previously, Todd had released a paper voicing concerns over Ripple’s security, particularly highlighting the absence of a cryptographic PGP signature that would authenticate their code. Without this crucial verification, hackers could theoretically inject harmful code and create counterfeit software versions. Remarkably, the security breach Todd warned about has now materialized, as the NPM platform faced a compromise leading to the aforementioned backdoor. In a nod to the validity of Todd’s caution, Schwartz conceded that the threat identified did indeed hold true as of February.
Broader Security Practices
While discussing security practices, Todd also conceded that his own software library, python-bitcoinlib, currently lacks PGP signing, attributing this to the Python Package Index (PyPi) ceasing support for such security measures.
“In fairness, my python-bitcoinlib library isn’t PGP signed for most users because PyPi made the idiotic decision to phase out PGP signatures. But my hands are tied on that; the entire software industry is incompetent,”
he declared, indicating a broader concern about security practices in the tech community.
