[ANN][XCP] Counterparty - Pioneering Peer-to-Peer Finance - Official Thread

[Chuck Norris]

As someone said before--do NOT buy XCP from anyone until this is fixed. Not on the DEX, not privately, not anywhere.

It sounds like the hacker is being cooperative, so probably a good guy and aligned with the success of the project and helping us to harden the code.

To resolve the situation, maybe devs could offer to pay the hacker a 'security bounty' to reward him for isolating this vulnerability and because he's been cooperative / good guy, and also create a standing "security bounty" for anyone else in the wider community who finds exploits in the future.

Yes. Setting up a formal bug bounty system is definitely on our 'to do' list.

Cityglut, I know you have a lot on your plate, but when you have some time perhaps you can send out a wallet address for a security bounty fund?  

If it turns out the "roll back" is 100% retroactive (and I get all of my XCP back on Poloniex), I will happily contribute 100 XCP to the bounty fund to get it started.

As a proposal for the community, perhaps we could send the first, say, [1000] XCP raised to the whitehat who exposed this exploit?

Will anyone else make a pledge to contribute alongside me?    

I approve your proposal.

[cityglut]

As someone said before--do NOT buy XCP from anyone until this is fixed. Not on the DEX, not privately, not anywhere.

It sounds like the hacker is being cooperative, so probably a good guy and aligned with the success of the project and helping us to harden the code.

To resolve the situation, maybe devs could offer to pay the hacker a 'security bounty' to reward him for isolating this vulnerability and because he's been cooperative / good guy, and also create a standing "security bounty" for anyone else in the wider community who finds exploits in the future.

Yes. Setting up a formal bug bounty system is definitely on our 'to do' list.

Cityglut, I know you have a lot on your plate, but when you have some time perhaps you can send out a wallet address for a security bounty fund?  

If it turns out the "roll back" is 100% retroactive (and I get all of my XCP back on Poloniex), I will happily contribute 100 XCP to the bounty fund to get it started.

As a proposal for the community, perhaps we could send the first, say, [1000] XCP raised to the whitehat who exposed this exploit?

Will anyone else make a pledge to contribute alongside me?    

A great idea. This will be taken care of in the next few hours. Thanks again, everyone, for all the support, and for staying level-headed. It means a lot to us.

[Tirapon]

I'll also pledge 100 XCP to the bounty fund.

[flayway]

As someone said before--do NOT buy XCP from anyone until this is fixed. Not on the DEX, not privately, not anywhere.

It sounds like the hacker is being cooperative, so probably a good guy and aligned with the success of the project and helping us to harden the code.

To resolve the situation, maybe devs could offer to pay the hacker a 'security bounty' to reward him for isolating this vulnerability and because he's been cooperative / good guy, and also create a standing "security bounty" for anyone else in the wider community who finds exploits in the future.

Yes. Setting up a formal bug bounty system is definitely on our 'to do' list.

Cityglut, I know you have a lot on your plate, but when you have some time perhaps you can send out a wallet address for a security bounty fund?  

If it turns out the "roll back" is 100% retroactive (and I get all of my XCP back on Poloniex), I will happily contribute 100 XCP to the bounty fund to get it started.

As a proposal for the community, perhaps we could send the first, say, [1000] XCP raised to the whitehat who exposed this exploit?

Will anyone else make a pledge to contribute alongside me?    

A great idea. This will be taken care of in the next few hours. Thanks again, everyone, for all the support, and for staying level-headed. It means a lot to us.

Maybe one address for this white hat and then one address for future bounty if someone find big bug that amount can turn black hat to white hat.

[busoni]

Block index is being reindexed now. We're not out of the woods yet--I won't know what the situation on Poloniex is until I see what is in the balance, and the benevolent hacker has not returned the BTC yet. (He might be waiting to see how much XCP he has.) I'll keep everyone updated.

[SyRenity]

Cityglut, I know you have a lot on your plate, but when you have some time perhaps you can send out a wallet address for a security bounty fund?  

If it turns out the "roll back" is 100% retroactive (and I get all of my XCP back on Poloniex), I will happily contribute 100 XCP to the bounty fund to get it started.

As a proposal for the community, perhaps we could send the first, say, [1000] XCP raised to the whitehat who exposed this exploit?

Will anyone else make a pledge to contribute alongside me?    

+1, I will happily contribute.

[riceberry]

Thanks Busoni, and thanks benevolent hacker

[kdrop22]

Maybe one address for this white hat and then one address for future bounty if someone find big bug that amount can turn black hat to white hat.

Yes, agreed. Two addresses.

[jimhsu]

Good to see that the community is right on top of this. This is what makes this project tick.

I'll also earmark 10% of my poloniex balance for this "security bounty".

Rebuilding will take a few hours. Please check balances then.

[ddink7]

Attention: Please see this post.

Just wanted to bump this post again for any newcomers.

UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!

[PhantomPhreak]

Attention: Please see this post.

Just wanted to bump this post again for any newcomers.

UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!

It's worth repeating that counterpartyd, since v5.0, will force you to upgrade. (Of course this check can be disabled.)

[Spekulatius]

Attention: Please see this post.

Just wanted to bump this post again for any newcomers.

UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!

It's worth repeating that counterpartyd, since v5.0, will force you to upgrade. (Of course this check can be disabled.)

I just wanted to ask whether you HAVE to upgrade as this would be very concerning in case a malicious upgrade ever gets pushed.

[Spekulatius]

If I regain all the XCP I bought today through this monster dump I also pledge 5% to the white hat (chapeau) and 5% to the security bounty.

[BitcoinForumator]

Well done Buscsoni

[halfcab123]

What up with the massive dump ?

[PhantomPhreak]

Attention: Please see this post.

Just wanted to bump this post again for any newcomers.

UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!

It's worth repeating that counterpartyd, since v5.0, will force you to upgrade. (Of course this check can be disabled.)

I just wanted to ask whether you HAVE to upgrade as this would be very concerning in case a malicious upgrade ever gets pushed.

All upgrades are manual, if that's what you mean.

[flayway]

What up with the massive dump ?

There was some bug, but dev team solve and update software really fast. That was really good luck hacker use white hat and dont want bad for coin and are giving btc's and xcp's back if i understand right. This also make community much stronger and when this project success maybe that giving also price for coin when everyone have feel already to lose all or part of coins  

But still i dont understand where that 35k coins come first to Polo..?

[Spekulatius]

Attention: Please see this post.

Just wanted to bump this post again for any newcomers.

UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!

It's worth repeating that counterpartyd, since v5.0, will force you to upgrade. (Of course this check can be disabled.)

I just wanted to ask whether you HAVE to upgrade as this would be very concerning in case a malicious upgrade ever gets pushed.

All upgrades are manual, if that's what you mean.

I mean: Do I HAVE to upgrade in order to keep using the client?

Lets just assume some malicious actor manages to push a fake update unto the clients, or you guys make a mistake that opens the latest version of the client up to some vulnerability, then every client would have to update to stay functional and thus put everybodies XCP in limbo.

I hope thats not how this works.

[kdrop22]

What up with the massive dump ?

But still i dont understand where that 35k coins come first to Polo..?

Those 35K coins, were the XCP deposits in Poloniex central account. The white hat hacker, withdrew these coins from the central address and deposited it back to Poloniex and sold then on the exchange for a low price.
The order depth in Poloniex was around 100 BTC. So, the hacker took these BTC, but left some of them in the exchange.

[PhantomPhreak]

This is as good a time as any to make a plug for the DEX.

Let's fix the issue with trolling orders so we don't have to worry about centralized points of failure ever again.

The rules just changed, and troll orders shouldn't be a problem any more. In any case, we need a chance to see how the current protocol works before making any changes to it.