- Justcoin failed to properly implement code to process deposits setting the tfPartialPayment flag, which was already documented on the Ripple wiki before Justcoin existed. The payment transaction type only supports three flags. Even if the documentation did not include a screaming warning, one would think a gateway developer would test the limited payment flag options to see what happens. The Justcoin deposit code could have also succeeded by using or double checking against the transaction metadata containing the before and after balances.
- Justcoin failed to only keep a small portion of the exchange's funds in their hot wallet. In a June interview, Justcoin described how over 90% of funds were in cold storage, yet they are freezing 23.27% percent of XRP deposits. That's a 13.27% discrepancy.
- Justcoin failed to ensure that the balance of user deposits credited in their exchange's database matched the funds actually held in their Ripple and Stellar accounts. The nice thing about open ledgers is that you can query them to perform an instant audit and reconciliation with your exchange's database. Disabling deposits when the two values are in disagreement prevents these kinds of problems.
- Justcoin failed to either impose withdrawal limits on accounts or to flag unusually large transactions for manual approval. Mitch Ratcliffe once said, “Computers have enabled people to make more mistakes faster than almost any invention in history, with the possible exception of tequila and hand guns.” There is a place for manual review of extreme withdrawals, and it can be done in a way that does not impose much delay.
Other gateways, and Ripple has well over two dozen now, said that someone attempted to hack them the same way that Justcoin was hacked, however they lost no funds because they they implemented stronger controls.
