[ANN][XCP] Counterparty - Pioneering Peer-to-Peer Finance - Official Thread

[busoni]

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

[matt608]

XCP appears to have disappeared from Poloniex, the XCP/BTC pair now forwards you to the Nxt/Btc trading pair:

https://poloniex.com/exchange/btc_xcp

[Fastpow]

Awesome.. I had all the XCP i bought at Poloniex..

[peled1986]

XCP appears to have disappeared from Poloniex, the XCP/BTC pair now forwards you to the Nxt/Btc trading pair:

https://poloniex.com/exchange/btc_xcp

it also disappeared from the balances.

and its not possible to withdraw BTC.

[mtbitcoin]

Adding support for matching orders by order hash directly be a huge help in combating the troll.

The troll can still place orders and force sell orders to have higher fees, but buyers can place orders with low fees and sellers can directly match them.

If we don't care about preserving best/bid offer, we could have order matching ONLY by order hash. That way sellers can place their orders, buyers can place their orders, and anyone who wants to make a trade can match directly. Troll orders would be completely ignored. Fees would be kept to the minimum of 0.0001.

I am all for this and also had proposed the same earlier..... By allowing matching orders directly by order hash the DEX would facilitate a trustless escrow system. There are no other working systems offering this at the moment (that I know off) and implementing this in DEX would make it a first. As the direct matching would be a separate command it should be able to work side by side with the existing order matching system. Combined with a client side reputation based system sellers would be able to sell non BTC assets like XCP to whoever they choose to

[nakaone]

I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

i do not get this part

[busoni]

XCP appears to have disappeared from Poloniex, the XCP/BTC pair now forwards you to the Nxt/Btc trading pair:

https://poloniex.com/exchange/btc_xcp

it also disappeared from the balances.

and its not possible to withdraw BTC.

Yes, I've suspended XCP for now, because there appears to be a serious problem with it.

[Patel]

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

From looking at the log of transactions it looks like the attacker's plan was:

1) Withdraw 35k XCP from Poloniex central wallet somehow
2) Redeposit the 35k XCP and dump for BTC
3) Withdraw BTC
4) Withdraw the same 35k XCP, this time permanently as the order book has thinned out and it no longer makes sense to dump for BTC.

I don't see where the XCP protocol is at fault here. The exploit has to do with the initial unauthorized withdrawal of 35k XCP from Poloniex's central wallet. There were no XCP double-spent, printed out of thin air, etc.

This.

The 35k withdrawal had to have been done via Poloniex.

There is no way to sign the tx if you don't have access to the private key, or the attacker would be targetting all the addresses that hold XCP, not just Poloniex account. What Busoni is saying is highly suspicious.

[qwertyqwerty]

not sure I'm trust operator  

i chat with somebody last week;

01:41:44 921908390: currently the only centralised exchange with xcp/btc pairs is poloniex. got about 85BTC in trade volume so far and hasn't been up for a day yet, not bad.
01:42:00 71298191: go and make a post about how much that site sucks and why 
01:42:19 71298191: and you will do the mankind a good thing 
01:42:24 921908390: well, it just got back up from heavy load
01:42:48 921908390: certainly isn't the smoothest experience, but beggars can't be choosers
01:42:51 71298191: its a scam
01:43:05 71298191: we found security issues on it in 5 minutes
01:43:07 921908390: I've only used it for first time today.
01:43:31 71298191: i'ts a scam or somebody will hack it very soon
01:43:39 71298191: both options are very possible and maybe even combined

[savithau68]

Poloniex was hacked. Busoni in denial

[busoni]

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

From looking at the log of transactions it looks like the attacker's plan was:

1) Withdraw 35k XCP from Poloniex central wallet somehow
2) Redeposit the 35k XCP and dump for BTC
3) Withdraw BTC
4) Withdraw the same 35k XCP, this time permanently as the order book has thinned out and it no longer makes sense to dump for BTC.

I don't see where the XCP protocol is at fault here. The exploit has to do with the initial unauthorized withdrawal of 35k XCP from Poloniex's central wallet. There were no XCP double-spent, printed out of thin air, etc.

The withdrawal occurred without the use of Poloniex's withdrawal system. So, unless he hacked into the wallet server, which I am fairly certain is impossible because there is no route to connect to it on any port--and unless he decided, for some reason, to take only his 35,000 XCP after hacking into the wallet server--this was done in some other way. From his message, it sounded like he found a vulnerability that enabled him to send XCP from any address.

[mtbitcoin]

XCP appears to have disappeared from Poloniex, the XCP/BTC pair now forwards you to the Nxt/Btc trading pair:

https://poloniex.com/exchange/btc_xcp

it also disappeared from the balances.

and its not possible to withdraw BTC.

Yes, I've suspended XCP for now, because there appears to be a serious problem with it.

I think its best that you perhaps try to figure out what actually went wrong than to imply there is a serious problem with XCP. It could very well be an issue with your existing integration with the XCP wallet.

[Geenstijl]

fkc me, did i just lose all my cash?

[busoni]

Poloniex was hacked. Busoni in denial

Guys, I'm looking into it. I'm just telling you what I know, and what the guy said to me. As someone pointed out, if someone hacked Poloniex and got the level of access needed to withdraw that much XCP, he would have taken a lot more. He didn't even withdraw all the BTC out of his account after selling.

[Patel]

The withdrawal occurred without the use of Poloniex's withdrawal system. So, unless he hacked into the wallet server, which I am fairly certain is impossible because there is no route to connect to it on any port--and unless he decided, for some reason, to take only his 35,000 XCP after hacking into the wallet server--this was done in some other way. From his message, it sounded like he found a vulnerability that enabled him to send XCP from any address.

Show us some proof of attackers messages.

[Geenstijl]

Poloniex was hacked. Busoni in denial

Guys, I'm looking into it. I'm just telling you what I know, and what the guy said to me. As someone pointed out, if someone hacked Poloniex and got the level of access needed to withdraw that much XCP, he would have taken a lot more. He didn't even withdraw all the BTC out of his account after selling.

Alright, thanks. Let's hope for the best!

[qwertyqwerty]

Honesty is best policy

[IamNotSure]

When does this troll order expire? 0.01738562 BTC/XCP

It won't expire for a while, but it doesn't matter, because any orders to sell XCP for BTC with a non-trivial (e.g. default) 'fee required' will bypass it now. In fact, there are a couple open sell orders, so the next match should happen when someone tries to buy XCP on the distributed exchange.

thanks, that's what the answer I was looking for !

[peled1986]

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?

[oxfeeefeee]

Poloniex was hacked. Busoni in denial

Guys, I'm looking into it. I'm just telling you what I know, and what the guy said to me. As someone pointed out, if someone hacked Poloniex and got the level of access needed to withdraw that much XCP, he would have taken a lot more. He didn't even withdraw all the BTC out of his account after selling.

Now I just want to cancel my order, what should I do?