Just added Heavycoin to Poloniex:

https://poloniex.com/exchange/btc_hvc

Just added PiggyCoin to Poloniex:

https://poloniex.com/exchange/btc_pig

Brief update.

I have begun working with a few developers on tightening up Poloniex's code. An improvement to the front end has already been published (Balances page). The first payout returning stolen BTC went through yesterday.

Also, I have just launched a bug bounty through crowdcurity.com. Details here: https://www.crowdcurity.com/users/poloniex/programs/poloniex-1de59

My apologies to anyone still waiting on support tickets. If you've been waiting several days for a response, please feel free to send a reminder, as I believe we're not that far behind.

I have just started a bug bounty for Poloniex (https://poloniex.com) through crowdcurity.com. Please see the details here:

https://www.crowdcurity.com/users/poloniex/programs/poloniex-1de59

In short, you can get 2 BTC for finding a critical security flaw, and smaller amounts for less critical flaws.

GRC has been frozen on Poloniex for some time now--PM'd you about a compile error.

Just wanted to let people know that the exchange and the wallet are in balance, and the market is only frozen until I can get the wallet compiled.

I'd just like to emerge from the woodwork and say that I am still working very hard on things. There are loads of support tickets to get through, and I've been cleaning up code and making under-the-hood improvements, as well as monitoring usage and keeping a much smaller amount in the hot wallet than before, which requires watching when there is a general trend of withdrawing. I've also begun searching for developers, and I've begun talking to a few already. The first payout returning stolen BTC will occur this weekend.

Not sure. The client is refusing to send any coins anywhere. I've contacted the devs, we'll work it out. Everyone's coins are safe--extra safe, since they can't be sent right now.

Login issues were probably due to the database server getting low on free space. Everything should be fine now.

Sorry that I have not been able to personally attend to any support tickets today. I will get to them tomorrow. Withdrawal mechanism was redesigned, now all withdrawal requests are processed centrally from a global command queue. I will be hiring additional developers as soon as possible.

Oh, and I will also add an area on the Balances page that lets you know exactly how much BTC is currently withheld.

I will begin searching for developers and security programmers tomorrow. In the meantime, the system that takes withdrawals has been redesigned--withdrawal requests are now added to a global command queue, and the queue is processed sequentially.

I've been working on various aspects of the exchange for twelve hours straight, and am a bit exhausted. I will send out an email to all users tomorrow and direct them here so they can give their input before a plan is officially laid out.

Looks like people agree. BTC will be unfrozen relatively soon, then.

The bug can no longer be used to withdraw due to hot fixes. The bug will be squashed entirely via a functionality redesign in a few hours.

Please vote at this poll: https://bitcointalk.org/index.php?topic=500578

I just want to make sure we don't prefer option 3 before opening withdrawals, otherwise it's ready.

I'm ready to resume functionality so that people can withdraw. Before I do, I wanted to make sure people wouldn't prefer a different option for recovering funds, namely #3. The reason why this might be desirable is that it allows for everyone to have all of their balances right away. People who want their funds quickly can covert to an altcoin and withdraw the altcoin. This would have a side effect of pumping altcoins and probably increasing trading volume, which would bring in more exchange fees to cover the debt.

Hot fixes are in place and withdrawals are safe now. As soon as withdrawals are opened, I will start right away on converting withdrawal queuing to a sequential method. This may take a few hours--please post below if you would prefer I do this before opening withdrawals.

(Sorry I didn't post the message on the Balances page until so late . . . been working hard to sort out the mess and get withdrawals going as quickly as possible.)

I have decided NOT to raise exchange fees, as that is essentially making the users pay for this out of pocket.

I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

All deposits, withdrawals, and markets are functioning normally. No further BTC will be deducted from anyone's balance.

On March 4th, 2014, about 12.3% of the BTC on Poloniex was stolen.

How Did It Happen?

The hacker found a vulnerability in the code that takes withdrawals. Here's what happens when you place a withdrawal:

1. Input validation.
2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.
4. The withdrawal is inserted into the database.
5. The confirmation email is sent.
6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

What Did Poloniex Do Wrong?

The major problem here was that withdrawals should have been queued at every step of the way. This could not have happened if withdrawal requests were processed sequentially instead of simultaneously.

Additionally, auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.

What Did Poloniex Do Right?

The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.

What Happens Now?

I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.

The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this. Exchange fees will not be raised.

If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.

What Will Be Done to Prevent Further Exploits?

Withdrawals and order creation have been switched to a queued method, where the first step is to add the task to a global execution queue that is processed sequentially. Each step of critical database operations is verified before proceeding, and such operations are in the process of being converted to transactions. I have hired additional developers to help with tightening up security at Poloniex, as well as created a bug bounty.

-----

In conclusion...

I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.

I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.

Market added: https://poloniex.com/exchange/btc_nrs

If someone can send me a bit for testing, I'll get this up on Poloniex soon. Address: 9ipdrQv1c1SydxPJx9b1m3gRfFAp86jsoW

Also, what is the block time?

I just saw this thread.

First of all, I really can't think of a way someone could possibly confirm withdrawals without email access. However, people who still aren't using 2FA should realize that someone with access to your account doesn't even need to withdraw to steal your money. There are some thinly traded markets on Poloniex--all they would have to do is use your funds to buy up an order book and fill some absurd order like 1 IFC for 1 LTC.

This is why there is 2FA. It really is important. All an exchange can do is offer you the option to be secure--it's up to you to use those options.

So what are you looking for, a candlestick chart that goes back to the beginning of a coin's history, or a way to track your own personal trades? It would be kind of cool to have little annotations on the candlestick indicating where you bought and sold...