|
Does anyone have any ideas about this? The guy is out 0.61 BTC...
|
|
|
|
Hi,
It seems the pages for XCP have vanished from your site! When I click on on the COunterparty button on your home page instead it shows me a graph for NXT.
I also bought some XCP today (I know because cryptocoincharts.com shows a daily low below my Bid price) but they dont show up under my balance ("XCP" has completely disappeared from the balance page). My BTC are gone though.
Are you fixing it right now?
Thx
I believe you know what's going on now--I recognize Mr. Cosby from the other thread--but to anyone who isn't aware, there was some XCP drama today. Read the last several pages of this thread to learn more: https://bitcointalk.org/index.php?topic=395761.0XCP will not be coming back online at least until the block chain is done resyncing, which takes quite a long time. |
|
|
|
Counterparty (XCP), that is trading between .009 and .027 on Poloniex has a TX Fee of 0.1 XCP. That is robbery, a 10% fee on such a valuable coin. C'mon OP, this can't be how you are trying to attract business, right?
The withdrawal fee can never be 10%. It is a flat fee of 0.1 XCP, to cover all the dust costs incurred in moving the XCP around internally. I believe the minimum withdrawal is 3 XCP, so the highest percentage the fee can be is 3.33%. To reduce that, just withdraw more XCP in one go. I was not aware that there were a lot of dust transactions with XCP. I am just confused as to how every other coin ranges from .01 to .0001 in TX fee an this one is .1 of a coin when this is one of the more expensive ones. Aren't "dust" costs associated with cheaper coins? How does this math work out? DOGE PRICE : 0.00000217 TX Fee: 0.01 DOGE XCP PRICE: .011 TX Fee: 0.1 XCP Are there exorbitant mandatory fees that I am unaware of? Honest question. I apologize for the choice of "robbery" to describe the fee, but wow. Counterparty is not just another coin. Transactions get send via the BTC block chain, so some BTC has to be sent whenever XCP is sent. Furthermore, the protocol requires the a deposit to be swept into a central account before it becomes available. The cost for each transaction is at least 0.0002 BTC, so an absolute minimum is 0.0004 BTC. But then, a little BTC to cover these costs has to be in each account, so sometimes some BTC dust needs to be moved around before the XCP can be moved, and each time this occurs, it's another 0.0001 TX fee. Sometimes BTC dust needs to be moved more than once, because Counterparty is a little unpredictable in its BTC requirements. I would say a deposit and withdrawal cycle probably end up costing almost 0.001 BTC each. The 0.1 XCP fee amounts to about this much. |
|
|
|
Was it mentioned if the hacker/white hat was going to return the BTC that they withdrew?
If they don't return that BTC, Poloniex would be out of pocket in a huge way.
I hope we can pull together an adequate bounty for the white hat such that they will return all BTC.
He said he would, but I haven't heard from him since he explained the vulnerability. My guess is he is waiting on the block chain rebuild to see where he stands with XCP. If all the XCP gets returned to the Poloniex account, then the dump will stand, and he can keep the BTC. If not... then let's hope he returns it, and I'm going to have to roll back some trades. |
|
|
|
|
Block index is being reindexed now. We're not out of the woods yet--I won't know what the situation on Poloniex is until I see what is in the balance, and the benevolent hacker has not returned the BTC yet. (He might be waiting to see how much XCP he has.) I'll keep everyone updated.
|
|
|
|
|
As someone said before--do NOT buy XCP from anyone until this is fixed. Not on the DEX, not privately, not anywhere.
|
|
|
|
Wow, that disappointing...
That said, I'm happy that it happened so early, before XCP has spread to other exchanges.
Also, seems that it will boost the Dex (as it should), as it seems to be much safer (or so I hope!).
No, the Dex is not safer from this attack. Devs are on it now. |
|
|
|
|
I messaged PhantomPhreak, but if any XCP developers are online right now, please message me right away.
The attacked left 35BTC in his account. He has been very cooperative so far and has asked for an address to return the BTC he took. I'll keep you all updated.
|
|
|
|
|
Got a response from the guy, he explained the vulnerability. I am now contacting the devs privately.
Poloniex was not hacked.
|
|
|
|
XCP is not at fault here. Its Poloniex. The original 35000 withdrawal from 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f (Poloniex address) was signed by that private key to complete the withdrawal/send. The attacker somehow got access to process the transaction from Poloniex account. If he didn't, that means there is a huge flaw in Bitcoin. Which I highly doubt. I think Busoni is lying, and this whole thing was staged. But that's just my opinion. I never used Poloniex, and don't plan on it. https://blockchain.info/tx/17d02a863919b7338e892d7a7da05f6e6529e5b97e3391d700a802b175978915Those are internal Poloniex addresses, that is the XCP being moved into the main wallet. |
|
|
|
|
The stolen 35,000 XCP was sent to 1HMoHdzaHm9cHR8FjekGRtkkydoHfgaC8S.
I just checked the Poloniex BTC wallet's transaction history, and nothing was ever sent to 1HMoHdzaHm9cHR8FjekGRtkkydoHfgaC8S.
To me, that says he sent it without hacking Poloniex.
|
|
|
|
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
I don't understand. Busoni if what you are saying is right than all users XCP and BTC are safe? He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else. He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft. |
|
|
|
Poloniex was hacked. Busoni in denial
Guys, I'm looking into it. I'm just telling you what I know, and what the guy said to me. As someone pointed out, if someone hacked Poloniex and got the level of access needed to withdraw that much XCP, he would have taken a lot more. He didn't even withdraw all the BTC out of his account after selling. |
|
|
|
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
From looking at the log of transactions it looks like the attacker's plan was: 1) Withdraw 35k XCP from Poloniex central wallet somehow 2) Redeposit the 35k XCP and dump for BTC 3) Withdraw BTC 4) Withdraw the same 35k XCP, this time permanently as the order book has thinned out and it no longer makes sense to dump for BTC. I don't see where the XCP protocol is at fault here. The exploit has to do with the initial unauthorized withdrawal of 35k XCP from Poloniex's central wallet. There were no XCP double-spent, printed out of thin air, etc. The withdrawal occurred without the use of Poloniex's withdrawal system. So, unless he hacked into the wallet server, which I am fairly certain is impossible because there is no route to connect to it on any port--and unless he decided, for some reason, to take only his 35,000 XCP after hacking into the wallet server--this was done in some other way. From his message, it sounded like he found a vulnerability that enabled him to send XCP from any address. |
|
|
|
it also disappeared from the balances. and its not possible to withdraw BTC. Yes, I've suspended XCP for now, because there appears to be a serious problem with it. |
|
|
|
|
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
|
|
|
|
@ busoni: Could you pls implement multiple time frames into your charts?? Its realy hard to keep track of your favorite altcoins if you only ever see one day windows. Thx!
This is in the queue. The candlestick was actually designed to accept any interval, not just 30 minutes. I still have to make sure other intervals really work properly, and code the interface for switching. It is not top on the list, but it is up there. When it is done, though, you'll get proper scaling--legitimate 5-minute charts, 2-hour charts, whatever--instead of this nonsense where they just stretch the chart out. |
|
|
|
Counterparty (XCP), that is trading between .009 and .027 on Poloniex has a TX Fee of 0.1 XCP. That is robbery, a 10% fee on such a valuable coin. C'mon OP, this can't be how you are trying to attract business, right?
The withdrawal fee can never be 10%. It is a flat fee of 0.1 XCP, to cover all the dust costs incurred in moving the XCP around internally. I believe the minimum withdrawal is 3 XCP, so the highest percentage the fee can be is 3.33%. To reduce that, just withdraw more XCP in one go. |
|
|
|
|
Another support agent just started today, so support should start getting snappier.
There was some downtime around 2AM last night. This was because the entire data center where the front end server is located went offline. Not much I could do, but I stayed up late to make sure everything was running smoothly after it came back online.
Then, the wallet server lost connectivity last night while I was asleep, so deposits and withdrawals were down for a while. Later, the FLAP wallet stopped syncing, apparently a known issue, and I have just installed the update from the developer. All deposits and withdrawals should be processed by now.
About support responsiveness, please bear with me now while support staff is trained. Support has now moved to poloniex.freshdesk.com. The email address will still be checked regularly, and you can get support there, but priority is given to Freshdesk.
Someone said Poloniex is often down or very slow these days. Has anyone noticed any slowness since the database server upgrade and the bandwidth issue was solved? Everything should be very fast now.
|
|
|
|
|
Show Posts
