[ANN][XCP] Counterparty - Pioneering Peer-to-Peer Finance - Official Thread

[TheMightyX]

Holy shit. I wake up to this 

People... for the love of god don't panic until we know all the facts. Don't mindlessly dump your XCP at the first opportunity (or do, as long as it's into my hands).

[busoni]

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?

He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else.

He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft.

[savithau68]

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?

He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else.

He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft.

We also want to work on this. Please give more details

[Patel]

The original 35000 withdrawal from 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f (Poloniex address) was signed by that private key to complete the withdrawal/send. The attacker somehow got access to process the transaction from Poloniex account. If he didn't, that means there is a huge flaw in Bitcoin.

 https://blockchain.info/tx/17d02a863919b7338e892d7a7da05f6e6529e5b97e3391d700a802b175978915

[lonsharim]

newbie question here,

If I don't have the counterparty/XCP wallet program installed yet, but I want to withdraw my XCP from Poloniex (assuming I can!), can I just send it to a bitcoin address that I control? And then later, import that bitcoin address into the XCP wallet program?

(In other words, am I right in understanding that my XCP address is just a bitcoin address I own?)  How would I later "import" it into XCP?

You assumptions are correct. As long as you can control your private key you will be able to control the XCP associated with it and where ever you want to import it.

[sixteendigits]

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?

He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else.

He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft.

We also want to work on this. Please give more details

Uhhhhhhh..............no.  Please do not give more details.  If it is a fault with XCP the only people he should be sharing details with are the devs.

[busoni]

The stolen 35,000 XCP was sent to 1HMoHdzaHm9cHR8FjekGRtkkydoHfgaC8S.

I just checked the Poloniex BTC wallet's transaction history, and nothing was ever sent to 1HMoHdzaHm9cHR8FjekGRtkkydoHfgaC8S.

To me, that says he sent it without hacking Poloniex.

[busoni]

XCP is not at fault here. Its Poloniex.

The original 35000 withdrawal from 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f (Poloniex address) was signed by that private key to complete the withdrawal/send. The attacker somehow got access to process the transaction from Poloniex account. If he didn't, that means there is a huge flaw in Bitcoin. Which I highly doubt. I think Busoni is lying, and this whole thing was staged. But that's just my opinion. I never used Poloniex, and don't plan on it.

 https://blockchain.info/tx/17d02a863919b7338e892d7a7da05f6e6529e5b97e3391d700a802b175978915

Those are internal Poloniex addresses, that is the XCP being moved into the main wallet.

[TheMightyX]

I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.

I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?

He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else.

He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft.

I feel like you are making grand show out of pointing out a potential flaw in a very public manner.

"Ya i've heard satoshi built a kill-switch into the genesis block of bitcoin and can tank it at any time".
See what I did there? Who the fuck knows? but talking about it out in the open is only going to frighten the lesser informed individuals.

This is something that should be discussed with the developers directly. Not tossed about on the forums for weak hands to see.

[TheMightyX]

The important matter is did the attacker withdraw the btc he received from dumping the XCP?
If not, the orders can be reversed and the private keys can be changed.

[vivinamie]

busoni,my xcp balance will back to poloniex account
and can withdraw?

[lonsharim]

The important matter is did the attacker withdraw the btc he received from dumping the XCP?
If not, the orders can be reversed and the private keys can be changed.

According to busoni attacker didn't withdraw all his btc ergo some was left behind and some was withdrawn. How much he has withdrawn has not specified.

[busoni]

Got a response from the guy, he explained the vulnerability. I am now contacting the devs privately.

Poloniex was not hacked.

[peled1986]

busoni please answer how many BTC the attacker still has in his account?
and if all users BTC are safe? (I am no talking about the btc the attacker got from the 35,000 xcp sell and withdraw)

[ddink7]

Guys, why don't we reserve judgement on Poloniex and Busoni until we hear back one way or the other from the devs. Until we hear from them, everything is just speculation.

Busoni says he explained the vulnerability, now we wait.

[busoni]

I messaged PhantomPhreak, but if any XCP developers are online right now, please message me right away.

The attacked left 35BTC in his account. He has been very cooperative so far and has asked for an address to return the BTC he took. I'll keep you all updated.

[ginko-B]

This is as good a time as any to make a plug for the DEX.

Let's fix the issue with trolling orders so we don't have to worry about centralized points of failure ever again.

+1

Why would a hacker wanting to make a demonstration have done the deed on Poloniex and not the DEX?  If he really wanted to show a problem with the protocol he would have hacked the DEX.

[lemfuture]

trouble in paradise  

[SyRenity]

Wow, that disappointing...
That said, I'm happy that it happened so early, before XCP has spread to other exchanges.

Also, seems that it will boost the Dex (as it should), as it seems to be much safer (or so I hope!).

[SyRenity]

Ok I think I see the vulnerability as well. I am inclined to believe busoni now. Hopefully the devs will get right on it.

The good news is if our benevolent attacker friend didn't withdraw his BTC everything can just be rolled back.

Clever attack.

Will you explain it after it was plugged?