All deposits, withdrawals, and markets are functioning normally. No further BTC will be deducted from anyone's balance.

On March 4th, 2014, about 12.3% of the BTC on Poloniex was stolen.

How Did It Happen?

The hacker found a vulnerability in the code that takes withdrawals. Here's what happens when you place a withdrawal:

1. Input validation.
2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.
4. The withdrawal is inserted into the database.
5. The confirmation email is sent.
6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

What Did Poloniex Do Wrong?

The major problem here was that withdrawals should have been queued at every step of the way. This could not have happened if withdrawal requests were processed sequentially instead of simultaneously.

Additionally, auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.

What Did Poloniex Do Right?

The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.

What Happens Now?

I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.

The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this. Exchange fees will not be raised.

If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.

What Will Be Done to Prevent Further Exploits?

Withdrawals and order creation have been switched to a queued method, where the first step is to add the task to a global execution queue that is processed sequentially. Each step of critical database operations is verified before proceeding, and such operations are in the process of being converted to transactions. I have hired additional developers to help with tightening up security at Poloniex, as well as created a bug bounty.

-----

In conclusion...

I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.

I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.

How many bitcoins is 12.3%?

Address of the thief https://blockchain.info/address/1Ktq7TE3J5vZ3c99M5weqKfFcNkHQdqPrq
Total loss is around $50,000

Keep it up Busoni, will continue to support your exchange.

ps: have you checked my pm? please process deposit too, there're no pending deposit in my account but it has over 6 confirmations.

Seems like you're handling this very well.

How will this affect orders? I have most BTC on orders right now.

My all balance on orders. Thats my bad luck. I have  about %30 loss.

This sounds like a good idea. mcxNOW has mcxFEEs for this. Vircurex does something similar, but not to the degree that mcxNOW does.

I'd be interested in buying poloFEEs.

And +1 for the openness and honesty.

Go on working that hard and good! Thanks for the info!

I have just made a btc deposit a few mins ago so will mine be deducted as well even if I'm using the site for the first time?