Chuck Norris
Newbie
Offline
Activity: 4
Merit: 0
|
|
February 19, 2014, 06:43:43 PM |
|
As someone said before--do NOT buy XCP from anyone until this is fixed. Not on the DEX, not privately, not anywhere.
It sounds like the hacker is being cooperative, so probably a good guy and aligned with the success of the project and helping us to harden the code. To resolve the situation, maybe devs could offer to pay the hacker a 'security bounty' to reward him for isolating this vulnerability and because he's been cooperative / good guy, and also create a standing "security bounty" for anyone else in the wider community who finds exploits in the future. Yes. Setting up a formal bug bounty system is definitely on our 'to do' list. Cityglut, I know you have a lot on your plate, but when you have some time perhaps you can send out a wallet address for a security bounty fund? If it turns out the "roll back" is 100% retroactive (and I get all of my XCP back on Poloniex), I will happily contribute 100 XCP to the bounty fund to get it started. As a proposal for the community, perhaps we could send the first, say, [1000] XCP raised to the whitehat who exposed this exploit? Will anyone else make a pledge to contribute alongside me? I approve your proposal.
|
|
|
|
cityglut
|
|
February 19, 2014, 06:45:07 PM |
|
As someone said before--do NOT buy XCP from anyone until this is fixed. Not on the DEX, not privately, not anywhere.
It sounds like the hacker is being cooperative, so probably a good guy and aligned with the success of the project and helping us to harden the code. To resolve the situation, maybe devs could offer to pay the hacker a 'security bounty' to reward him for isolating this vulnerability and because he's been cooperative / good guy, and also create a standing "security bounty" for anyone else in the wider community who finds exploits in the future. Yes. Setting up a formal bug bounty system is definitely on our 'to do' list. Cityglut, I know you have a lot on your plate, but when you have some time perhaps you can send out a wallet address for a security bounty fund? If it turns out the "roll back" is 100% retroactive (and I get all of my XCP back on Poloniex), I will happily contribute 100 XCP to the bounty fund to get it started. As a proposal for the community, perhaps we could send the first, say, [1000] XCP raised to the whitehat who exposed this exploit? Will anyone else make a pledge to contribute alongside me? A great idea. This will be taken care of in the next few hours. Thanks again, everyone, for all the support, and for staying level-headed. It means a lot to us.
|
|
|
|
Tirapon
|
|
February 19, 2014, 06:51:36 PM |
|
I'll also pledge 100 XCP to the bounty fund.
|
|
|
|
flayway
|
|
February 19, 2014, 06:53:43 PM |
|
As someone said before--do NOT buy XCP from anyone until this is fixed. Not on the DEX, not privately, not anywhere.
It sounds like the hacker is being cooperative, so probably a good guy and aligned with the success of the project and helping us to harden the code. To resolve the situation, maybe devs could offer to pay the hacker a 'security bounty' to reward him for isolating this vulnerability and because he's been cooperative / good guy, and also create a standing "security bounty" for anyone else in the wider community who finds exploits in the future. Yes. Setting up a formal bug bounty system is definitely on our 'to do' list. Cityglut, I know you have a lot on your plate, but when you have some time perhaps you can send out a wallet address for a security bounty fund? If it turns out the "roll back" is 100% retroactive (and I get all of my XCP back on Poloniex), I will happily contribute 100 XCP to the bounty fund to get it started. As a proposal for the community, perhaps we could send the first, say, [1000] XCP raised to the whitehat who exposed this exploit? Will anyone else make a pledge to contribute alongside me? A great idea. This will be taken care of in the next few hours. Thanks again, everyone, for all the support, and for staying level-headed. It means a lot to us. Maybe one address for this white hat and then one address for future bounty if someone find big bug that amount can turn black hat to white hat.
|
XCP: 19zzpgk3oakH2b7zd63mw3DadtNkvefVfo BTC: 1ASSkiRsqRUUp5Y8YQYnuc41fBbYR3iRD2
|
|
|
busoni
Sr. Member
Offline
Activity: 364
Merit: 250
Owner of Poloniex
|
|
February 19, 2014, 06:56:40 PM |
|
Block index is being reindexed now. We're not out of the woods yet--I won't know what the situation on Poloniex is until I see what is in the balance, and the benevolent hacker has not returned the BTC yet. (He might be waiting to see how much XCP he has.) I'll keep everyone updated.
|
Poloniex.com - Fast crypto exchange with margin trading, advanced charts, and stop-limit orders
|
|
|
SyRenity
|
|
February 19, 2014, 06:57:16 PM |
|
Cityglut, I know you have a lot on your plate, but when you have some time perhaps you can send out a wallet address for a security bounty fund?
If it turns out the "roll back" is 100% retroactive (and I get all of my XCP back on Poloniex), I will happily contribute 100 XCP to the bounty fund to get it started.
As a proposal for the community, perhaps we could send the first, say, [1000] XCP raised to the whitehat who exposed this exploit?
Will anyone else make a pledge to contribute alongside me?
+1, I will happily contribute.
|
|
|
|
riceberry
|
|
February 19, 2014, 06:59:07 PM |
|
Thanks Busoni, and thanks benevolent hacker
|
|
|
|
kdrop22
|
|
February 19, 2014, 07:02:09 PM |
|
Maybe one address for this white hat and then one address for future bounty if someone find big bug that amount can turn black hat to white hat.
Yes, agreed. Two addresses.
|
|
|
|
jimhsu
|
|
February 19, 2014, 07:08:07 PM |
|
Good to see that the community is right on top of this. This is what makes this project tick.
I'll also earmark 10% of my poloniex balance for this "security bounty".
Rebuilding will take a few hours. Please check balances then.
|
Dans les champs de l'observation le hasard ne favorise que les esprits préparé
|
|
|
ddink7
Legendary
Offline
Activity: 1120
Merit: 1000
|
|
February 19, 2014, 07:11:01 PM |
|
Just wanted to bump this post again for any newcomers. UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!
|
|
|
|
PhantomPhreak (OP)
Sr. Member
Offline
Activity: 476
Merit: 300
Counterparty Chief Scientist and Co-Founder
|
|
February 19, 2014, 07:17:42 PM |
|
Just wanted to bump this post again for any newcomers. UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!It's worth repeating that counterpartyd, since v5.0, will force you to upgrade. (Of course this check can be disabled.)
|
|
|
|
Spekulatius
Legendary
Offline
Activity: 1022
Merit: 1000
|
|
February 19, 2014, 07:48:09 PM |
|
Just wanted to bump this post again for any newcomers. UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!It's worth repeating that counterpartyd, since v5.0, will force you to upgrade. (Of course this check can be disabled.) I just wanted to ask whether you HAVE to upgrade as this would be very concerning in case a malicious upgrade ever gets pushed.
|
|
|
|
Spekulatius
Legendary
Offline
Activity: 1022
Merit: 1000
|
|
February 19, 2014, 07:50:39 PM |
|
If I regain all the XCP I bought today through this monster dump I also pledge 5% to the white hat (chapeau) and 5% to the security bounty.
|
|
|
|
BitcoinForumator
Legendary
Offline
Activity: 1120
Merit: 1000
|
|
February 19, 2014, 08:02:18 PM |
|
Well done Buscsoni
|
|
|
|
halfcab123
Full Member
Offline
Activity: 224
Merit: 100
CabTrader v2 | crypto-folio.com
|
|
February 19, 2014, 08:20:34 PM |
|
What up with the massive dump ?
|
DayTrade with less exposure to risk, by setting buy and sell spreads with CabTrader v2, buy now @ crypto-folio.com
|
|
|
PhantomPhreak (OP)
Sr. Member
Offline
Activity: 476
Merit: 300
Counterparty Chief Scientist and Co-Founder
|
|
February 19, 2014, 08:44:03 PM |
|
Just wanted to bump this post again for any newcomers. UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!It's worth repeating that counterpartyd, since v5.0, will force you to upgrade. (Of course this check can be disabled.) I just wanted to ask whether you HAVE to upgrade as this would be very concerning in case a malicious upgrade ever gets pushed. All upgrades are manual, if that's what you mean.
|
|
|
|
flayway
|
|
February 19, 2014, 09:02:02 PM |
|
What up with the massive dump ?
There was some bug, but dev team solve and update software really fast. That was really good luck hacker use white hat and dont want bad for coin and are giving btc's and xcp's back if i understand right. This also make community much stronger and when this project success maybe that giving also price for coin when everyone have feel already to lose all or part of coins But still i dont understand where that 35k coins come first to Polo..?
|
XCP: 19zzpgk3oakH2b7zd63mw3DadtNkvefVfo BTC: 1ASSkiRsqRUUp5Y8YQYnuc41fBbYR3iRD2
|
|
|
Spekulatius
Legendary
Offline
Activity: 1022
Merit: 1000
|
|
February 19, 2014, 09:11:11 PM |
|
Just wanted to bump this post again for any newcomers. UPGRADE YOUR CLIENT BEFORE SENDING XCP ANYWHERE!It's worth repeating that counterpartyd, since v5.0, will force you to upgrade. (Of course this check can be disabled.) I just wanted to ask whether you HAVE to upgrade as this would be very concerning in case a malicious upgrade ever gets pushed. All upgrades are manual, if that's what you mean. I mean: Do I HAVE to upgrade in order to keep using the client? Lets just assume some malicious actor manages to push a fake update unto the clients, or you guys make a mistake that opens the latest version of the client up to some vulnerability, then every client would have to update to stay functional and thus put everybodies XCP in limbo. I hope thats not how this works.
|
|
|
|
kdrop22
|
|
February 19, 2014, 09:13:41 PM |
|
What up with the massive dump ?
But still i dont understand where that 35k coins come first to Polo..? Those 35K coins, were the XCP deposits in Poloniex central account. The white hat hacker, withdrew these coins from the central address and deposited it back to Poloniex and sold then on the exchange for a low price. The order depth in Poloniex was around 100 BTC. So, the hacker took these BTC, but left some of them in the exchange.
|
|
|
|
PhantomPhreak (OP)
Sr. Member
Offline
Activity: 476
Merit: 300
Counterparty Chief Scientist and Co-Founder
|
|
February 19, 2014, 09:13:51 PM |
|
This is as good a time as any to make a plug for the DEX.
Let's fix the issue with trolling orders so we don't have to worry about centralized points of failure ever again.
The rules just changed, and troll orders shouldn't be a problem any more. In any case, we need a chance to see how the current protocol works before making any changes to it.
|
|
|
|
|