Terracoin attack caused Bter.com 50BTC loss

[freeworm]

A horrible Terracoin attack happened recently. Hundreds of thousands of TRC were created and disappeared.
Details can be found from
https://bitcointalk.org/index.php?topic=261986.0

One attacker (ID on bter: m100003-6399 and m100002-12129) deposited around 120k TRC on Bter.com during the TRC network attack and dumped more than half of them.
The attacker withdrew about 50BTC value (in BTC, LTC, FTC, TRC, etc) from Bter successfully before we disabled his accounts.
Some of his deposits are listed below. The deposits are confirmed normally without any problem but later the confirmations all became zero and all he deposited TRC disappeared.

We have disabled the TRC trade.
We need to reverse all the trading transactions people made with the attackers IDs m100002 and m100003.
BTCs will be credited back the Bter users' accounts who are affected so that they can get their BTC back.
Bter will take all the loss during the attack.

We need time to handle all the affected transactions very carefully. Please be patient.

I am sorry for all the trouble to Bter users during this event. We are doing our best to handle it.

---------------------------------------------------
--balance of the attacker's two accounts

./terracoind getbalance 6399
-39381.71600000
./terracoind getbalance 12129
-82980.08650000

----------------------------------------------------
----- last 5 deposits from the attacker
[
    {
        "account" : "12129",
        "address" : "18dCGtwALpJJMF6horVcbYY1Afft6pZfZq",
        "category" : "receive",
        "amount" : 480.00000000,
        "confirmations" : 0,
        "txid" : "68ce85dce72c4cc28053e823e453b52acbf2aa29ddd22f17f8c244ce756a6536",
        "time" : 1374858805,
        "timereceived" : 1374858805
    },

    {
        "account" : "12129",
        "address" : "18dCGtwALpJJMF6horVcbYY1Afft6pZfZq",
        "category" : "receive",
        "amount" : 4000.00000000,
        "confirmations" : 0,
        "txid" : "b5f3444bd2f8289b3d88e7784dd0fd6277054847acb8d5b7390c3ac0007e9207",
        "time" : 1374859127,
        "timereceived" : 1374859127
    },

    {
        "account" : "12129",
        "address" : "1M5jECA4CU4KnNVgbDAdPBcvScdhdkJT1H",
        "category" : "receive",
        "amount" : 7600.08650000,
        "confirmations" : 0,
        "txid" : "5b53dbd629d0bfb4ab71db94308f4f08ca073d40ce6eb8f07bde4cd18aa6ab92",
        "time" : 1374860903,
        "timereceived" : 1374860903
    },

    {
        "account" : "12129",
        "address" : "1M5RGitwKkT9AUea6638ZwzfiPV5kasu3c",
        "category" : "receive",
        "amount" : 8520.00000000,
        "confirmations" : 0,
        "txid" : "ebc4df3e1ecc4569cd51cc255e19852039a673d2f48e322f094e27300715146e",
        "time" : 1374861841,
        "timereceived" : 1374861841
    },

    {
        "account" : "12129",
        "address" : "1MnsunUAK2vJW21mE6azbXyXJSgJhDsy1Y",
        "category" : "receive",
        "amount" : 62380.00000000,
        "confirmations" : 0,
        "txid" : "172e3c1ba0ccf8284d4a031a149786788cf122dba9800e15ce73af4cc6022bfa",
        "time" : 1374862281,
        "timereceived" : 1374862281
    },

[1714800146]

1714800146

[bcp19]

Don't know if this will help at all or not, but here are all known address that attacker's account sent/received money from:

1PAnMKuTs9R4U9FF7xdQSmQc655d2r9zeB (main account)
13kfKR1BS9gtsxppMeqDTx4rAvbwWjvYSL (Used back in April, then mined blocks 175027-175037)
19hWiCHiWk3Bu3mXCCCDRhY9WVLUvoPVAR
1LEyVjbVJw3NSFtxa8o45TvAkpjWkYCuqX
1JZp28yknx5jm9TMPSnGzMyJq3ENCkvme7
111exFkjLXP5mXmEfVqGd2r7bXQhVhux3
1LrwViNiowvXaCKb33BYoYeXkQfUiAHpZ7
122xarBR5XSvcgZ27qNmgvP4VQCUgfzcsa
1LGkXWSE5qvMbxtY6H3CFTCJBKN5wa2NA2
1EYD7hV7t8fN9qXHsj41v2vpyq9SbySqkR
1Kbq1XfK8Zs2wZsAK6SAmaF5jAwym8xaKg
149JyDVZCW46vRJfLRfH1hzypLD5mV4mDk
1M3hwfdTVAHEEmLCepAj3ULNFaM2C7SF3v
1CVkkpMqK7fvNz5t6KecnuErnJxpzGCumS
1D5y3YSzTfT6WTqioW99cuJ6izXiTZg8YD
149JyDVZCW46vRJfLRfH1hzypLD5mV4mDk
1MwK8iA8nSqDDSiYytEntdd9UVYdiZ3qFe
1NCoJCE4sp5sjAnFwgViwRQrcCAE2hsq9u
1Q47BFwRP7nPEewgkRNQFzjVsQp3maQURx
1E1YNV1Rdv8vZtr6iHppGtkrFfFdMTYezK
15fZ3Dk3t89EBgwJieMv43oVGWLZkAHojL
1KeheSehZLUrXCSd5bcFGHNKDBgDWuhdZu
17gvfTjPVtNqV4b7iX1zALoNjCV93na4Y
15AzEWzQwi1wGvUtjEKCXi14zGikR6eSzk

[freeworm]

Don't know if this will help at all or not, but here are all known address that attacker's account sent/received money from:

1PAnMKuTs9R4U9FF7xdQSmQc655d2r9zeB (main account)
13kfKR1BS9gtsxppMeqDTx4rAvbwWjvYSL (Used back in April, then mined blocks 175027-175037)
19hWiCHiWk3Bu3mXCCCDRhY9WVLUvoPVAR
...

I don't think we can trace our loss back but thanks a lot for your help which makes us feel better

[Arbitrageur]

wait wait.. if the bastard moved 120k trc and sold half of them on BTER, how did they disappear? aren't they on the account of the people who bought them? or just HIS coins he was unable to sell disappeared?

[lucasjkr]

A couple days ago, it sounded like the TRC network was 51%'ed; sounds like this was a MAJOR double spend. He sold the coins, all thought they were fine so he got BTC, then overwrote the blockchain from the point of transfer onward. Correct, or no? Definitely would be of aid to BTC and all the others to have an understanding of exactly what occurred.

[bcp19]

wait wait.. if the bastard moved 120k trc and sold half of them on BTER, how did they disappear? aren't they on the account of the people who bought them? or just HIS coins he was unable to sell disappeared?

1st, it wasn't a 51% attack, but a time warp attack.  The fix TRC made to their client (by my understanding) was supposed to invalidate all the time-warped blocks, meaning all the coins this person exploited vanished once the block chain hit the 175000 block.  Therefore, any coins he mined and sent elsewhere should have vanished at block 175000 (which they seem to have from the OP).  The current TRC blockchain is at block 175040 while the old client chain (that someone is still mining) thinks the current blockchain it at 175460.  If you were still using the old client, those coins would still be there.

[Sunny King]

wait wait.. if the bastard moved 120k trc and sold half of them on BTER, how did they disappear? aren't they on the account of the people who bought them? or just HIS coins he was unable to sell disappeared?

1st, it wasn't a 51% attack, but a time warp attack.  The fix TRC made to their client (by my understanding) was supposed to invalidate all the time-warped blocks, meaning all the coins this person exploited vanished once the block chain hit the 175000 block.  Therefore, any coins he mined and sent elsewhere should have vanished at block 175000 (which they seem to have from the OP).  The current TRC blockchain is at block 175040 while the old client chain (that someone is still mining) thinks the current blockchain it at 175460.  If you were still using the old client, those coins would still be there.

This sounds like a serious 51% doublespending attack on bter. Note the original time warp requires 51% attack as a basis.

[Arbitrageur]

what a mess!

[Arbitrageur]

wouldn't have been better to keep those coins as valid, so to let the attacker keep his profits without harming specific people (like bter in this case), at the end of the story he didn't cause any harm apart from an increased inflation and dilution of the coin...which basically it's what central banks do everytime they print new money out of nothing.

[roy7]

wouldn't have been better to keep those coins as valid, so to let the attacker keep his profits without harming specific people (like bter in this case), at the end of the story he didn't cause any harm apart from an increased inflation and dilution of the coin...which basically it's what central banks do everytime they print new money out of nothing.

Yeah that's why the dev didn't roll things back to before the attack, because of the valid trades the exchanges had done/etc and they rely on the chain remaining intact as best as possible.

[sumantso]

I had lost 8 LTC when my Bter account got hacked sometimes back. I withdrew everything and left it - there are much better exchanges out there.

Good luck though - I do hope you bounce back.

[Arbitrageur]

Yeah that's why the dev didn't roll things back to before the attack, because of the valid trades the exchanges had done/etc and they rely on the chain remaining intact as best as possible.

have those coins disappeared or not? I still don't understand.
if I bought some on BTER (which actually I did) and sold them on there or on another exchange, did those who bought from me see the trc disappear after block 175k??? this sounds impossible to me! in fact I was able to move like 18 coins I bought on bter (most likely from the attacker) to another exchange and I still see them! they have not disappeared anywhere. I still own them, as I think any other buyer do.

please explain.. this is fishy.

if BTER says the coins have disappeared when actually they have not, in reimbursing the buyers at the price they bought, they keep the TRC for themselves and do make a profit selling them at current prices. not so much as taking a loss... come on!

please explain!!

thanks

[n4ru]

Was this double spend after or before the double spend attacks started? If after, then the exchange is completely to blame for not stopping TRC deposits upon the first double spend hitting the network.

[Arbitrageur]

Was this double spend after or before the double spend attacks started? If after, then the exchange is completely to blame for not stopping TRC deposits upon the first double spend hitting the network.

the exchange is with no doubt to blame for not stopping the unusual activity on TRC... vircurex did, other raised the confirmation up to 100, bter stood still at 4 confirmations and let massive and unusual trading to take place for more the 24 hrs. I mean when I saw that massive dumping I bought something and I took a huge risk, in fact  everybody was talking about TRC to be screwed up and worth nothing, so to me the dumper could have been just a guy with lots of them just scared to lose his money and wanting out. but that was indeed suspicious to me. since my activity is arbitrage coins I saw the opportunity and even if I thought it was very risky I bought some in order to sell somewhere else at higher price.

NOW, what I want to know here: the coins the bastard sold on BTER have disappeared OR NOT?? cause it doesn't look like to me... the ones I was able to move out of BTER are sitting on my other accounts and have NOT disappeared. so how could BTER affirm the coins have disappeared... the only coins that might have disappeared after block 175k are the ones the bastard couldn't sell which are still sitting on his account...

...unless, and here I prove I don't know how exchanges really works, the buying/selling trades on each exchange aren't really settled until the coins are moved from the buyer to another address. in this case everything that's still on BTER truly disappeared, except the coins that buyers were able to move out of their BTER account.

am I right?

[n4ru]

Was this double spend after or before the double spend attacks started? If after, then the exchange is completely to blame for not stopping TRC deposits upon the first double spend hitting the network.

the exchange is with no doubt to blame for not stopping the unusual activity on TRC... vircurex did, other raised the confirmation up to 100, bter stood still at 4 confirmations and let massive and unusual trading to take place for more the 24 hrs. I mean when I saw that massive dumping I bought something and I took a huge risk, in fact  everybody was talking about TRC to be screwed up and worth nothing, so to me the dumper could have been just a guy with lots of them just scared to lose his money and wanting out. but that was indeed suspicious to me. since my activity is arbitrage coins I saw the opportunity and even if I thought it was very risky I bought some in order to sell somewhere else at higher price.

NOW, what I want to know here: the coins the bastard sold on BTER have disappeared OR NOT?? cause it doesn't look like to me... the ones I was able to move out of BTER are sitting on my other accounts and have NOT disappeared. so how could BTER affirm the coins have disappeared... the only coins that might have disappeared after block 175k are the ones the bastard couldn't sell which are still sitting on his account...

...unless, and here I prove I don't know how exchanges really works, the buying/selling trades on each exchange aren't really settled until the coins are moved from the buyer to another address. in this case everything that's still on BTER truly disappeared, except the coins that buyers were able to move out of their BTER account.

am I right?

The attacker's deposit disappeared.

[roy7]

Right, which is what double spend is all about.

Chain A I sent coins to BTCe. They clear, I sell them for BTC. I withdraw the BTC.

Now I make a new chain B started the block before I sent the coins, and make it longer than chain A so clients switch to it instead. My coins were never sent to BTCe, I still have them, but I also have the BTC I sold them for. BTCe is left without the BTC or the TRC.

I trust BTCe is on the mailing lists of all coins they support, so they always know about mandatory upgrades in advance.

[Arbitrageur]

The attacker's deposit disappeared.

let me understand how an exchange works...
a guy deposit x coins on his address...
then he sells something to someone else
are the coins really moved to the seller address to the buyer address after the trade?

[neotrix]

Happy that a 24/24 monitoring and immediate update to 100 confirmations deposit with a special checking on each then TRC deposit, helped crypto-trade.com to be safe of such lost.

I guess when you run an exchange and accept small Alt coin you have to expect such problem...and be ready to react immediatly as some hours can cause disaster. If you cannot handle it just don't accept such alt coin, or don't run an exchange taking risk to lost funds of your users. Sorry to be rude but I would be same with myself even worst...

Edit : just noticed that on your website : > Manually confirmed withdrawal

It means you processed the 50 btc manually to then understand your site was like attacked? I dont get it fully

Neotrix, Admin of crypto-trade.com

[Arbitrageur]

Happy that a 24/24 monitoring and immediate update to 100 confirmations deposit with a special checking on each then TRC deposit, helped crypto-trade.com to be safe of such lost.

here something else I don't understand
during the attack 100 confirmations were a matter of a few minutes... since the blocks were generated with very high frequency... what difference did it make?

[roy7]

Happy that a 24/24 monitoring and immediate update to 100 confirmations deposit with a special checking on each then TRC deposit, helped crypto-trade.com to be safe of such lost.

here something else I don't understand
during the attack 100 confirmations were a matter of a few minutes... since the blocks were generated with very high frequency... what difference did it make?

None. Coinotron had over 100 confirmed blocked they mined erased by the attacker before they suspended the TRC pool. The difficulty exploit made the attack unstoppable for the most part. In the main thread discussing the attack we were surprised trading was open at all.