BTC Stolen from Poloniex

[Biomech]

Kudos for being transparent about the problems with your exchange. I know that some people doubted you at first when the XCP was stolen, but that turned out to not be your fault. Now when it actually is the fault of your exchange you are immediately holding your hand up. That takes courage and shows your integrity!  

I agree with all the previous posters here who have suggested that you sell some shares of your exchange instead of dramatically raising the fees across the board.

I know that a lot of people don't like https://cryptostocks.com/ but I think that has more to do with the projects/companies that are listed there than the actual exchange itself. It would be an easy and quick way to raise the money needed to re-pay what was stolen, and your users wouldn't be forced to take a loss.

Raising the fees to 1,5% is only going to hurt the exchange IMO, even if it's temporary. Perhaps you could increase them 50% from the current level, but increasing them to 1,5% is really a lot!

I have another suggestion.

It's kind of depending on if you follow through with the idea of doing an IPO or not, but I think it's something worth considering if you do.

How about raising enough money to create an "insurance fund" that will be available for those users who are willing to accept a slightly higher trading fee than uninsured users?

You would keep this fund in cold storage and it would be completely transparent on the blockchain for everyone to verify. It would only be used to reimburse those accounts that had paid the higher trading fee in case of another hack of the exchange. By making it voluntary it doesn't hurt anyone who doesn't want to pay the extra fee, and as the income from the insurance premiums increase so will the level of insurance. This will make Poloniex the first exchange where user funds are insured. Perhaps you could even make the funds on that cold storage account multisignature with 2 trusted members from the community, that way anyone who doubts your integrity will feel a lot safer as well...

I know that I would certainly be willing to pay a slightly higher fee to sleep a little better knowing that even if you are hacked again at least I will get reimbursed, and I'm sure there are a lot of sad MtGox users who feel the same way.

I'm embarrassed to admit that the second I saw something about Poloniex being hacked I immediately attempted a withdrawal of my BTC from there. They are now "stuck in limbo" but I assume that they will show back up again once you have reversed the attempted transactions?

This is a truly great idea. I could only offer one expansion. Rather than making it internal, perhaps a group of us could put together an insurance package and market it to exchanges and such. Then it's completely third party, eliminating one layer of trust.

[1715182130]

1715182130

[bmgbmg]

It's all good, Poloniex probably made $50k in the AUR exchange yesterday alone! 

Whichever the case, it's a great site.  Just another reason I never leave coins on exchanges overnight.

[negritaman]

Kudos for being transparent about the problems with your exchange. I know that some people doubted you at first when the XCP was stolen, but that turned out to not be your fault. Now when it actually is the fault of your exchange you are immediately holding your hand up. That takes courage and shows your integrity!  

I agree with all the previous posters here who have suggested that you sell some shares of your exchange instead of dramatically raising the fees across the board.

I know that a lot of people don't like https://cryptostocks.com/ but I think that has more to do with the projects/companies that are listed there than the actual exchange itself. It would be an easy and quick way to raise the money needed to re-pay what was stolen, and your users wouldn't be forced to take a loss.

Raising the fees to 1,5% is only going to hurt the exchange IMO, even if it's temporary. Perhaps you could increase them 50% from the current level, but increasing them to 1,5% is really a lot!

I have another suggestion.

It's kind of depending on if you follow through with the idea of doing an IPO or not, but I think it's something worth considering if you do.

How about raising enough money to create an "insurance fund" that will be available for those users who are willing to accept a slightly higher trading fee than uninsured users?

You would keep this fund in cold storage and it would be completely transparent on the blockchain for everyone to verify. It would only be used to reimburse those accounts that had paid the higher trading fee in case of another hack of the exchange. By making it voluntary it doesn't hurt anyone who doesn't want to pay the extra fee, and as the income from the insurance premiums increase so will the level of insurance. This will make Poloniex the first exchange where user funds are insured. Perhaps you could even make the funds on that cold storage account multisignature with 2 trusted members from the community, that way anyone who doubts your integrity will feel a lot safer as well...

I know that I would certainly be willing to pay a slightly higher fee to sleep a little better knowing that even if you are hacked again at least I will get reimbursed, and I'm sure there are a lot of sad MtGox users who feel the same way.

I'm embarrassed to admit that the second I saw something about Poloniex being hacked I immediately attempted a withdrawal of my BTC from there. They are now "stuck in limbo" but I assume that they will show back up again once you have reversed the attempted transactions?

This is a truly great idea. I could only offer one expansion. Rather than making it internal, perhaps a group of us could put together an insurance package and market it to exchanges and such. Then it's completely third party, eliminating one layer of trust.

the shills are rife today else i am in the land of mindless fckwits

Next you will be suggesting derivatives on the insurance losses ffs

[GordonSSS]

Maths not your strong point, eh?

24-hour AUR volume = ~341.59 BTC. Fees are 0.2% (buy and sell)

A lot of money for sure...but not $50k!

It's all good, Poloniex probably made $50k in the AUR exchange yesterday alone! 

Whichever the case, it's a great site.  Just another reason I never leave coins on exchanges overnight.

[IrReAr]

Oh gosh. You may make some shares for 30-40% of fees to investors to cover this as cryptsy did.

[fairglu]

Yeah, share all the risk but none the profits of that business.   Sounds wonderful. LOL

Indeed. That's why offering shares with dividends should be the best solution.

Otherwise users only get the risks.

[Biomech]

Kudos for being transparent about the problems with your exchange. I know that some people doubted you at first when the XCP was stolen, but that turned out to not be your fault. Now when it actually is the fault of your exchange you are immediately holding your hand up. That takes courage and shows your integrity!  

I agree with all the previous posters here who have suggested that you sell some shares of your exchange instead of dramatically raising the fees across the board.

I know that a lot of people don't like https://cryptostocks.com/ but I think that has more to do with the projects/companies that are listed there than the actual exchange itself. It would be an easy and quick way to raise the money needed to re-pay what was stolen, and your users wouldn't be forced to take a loss.

Raising the fees to 1,5% is only going to hurt the exchange IMO, even if it's temporary. Perhaps you could increase them 50% from the current level, but increasing them to 1,5% is really a lot!

I have another suggestion.

It's kind of depending on if you follow through with the idea of doing an IPO or not, but I think it's something worth considering if you do.

How about raising enough money to create an "insurance fund" that will be available for those users who are willing to accept a slightly higher trading fee than uninsured users?

You would keep this fund in cold storage and it would be completely transparent on the blockchain for everyone to verify. It would only be used to reimburse those accounts that had paid the higher trading fee in case of another hack of the exchange. By making it voluntary it doesn't hurt anyone who doesn't want to pay the extra fee, and as the income from the insurance premiums increase so will the level of insurance. This will make Poloniex the first exchange where user funds are insured. Perhaps you could even make the funds on that cold storage account multisignature with 2 trusted members from the community, that way anyone who doubts your integrity will feel a lot safer as well...

I know that I would certainly be willing to pay a slightly higher fee to sleep a little better knowing that even if you are hacked again at least I will get reimbursed, and I'm sure there are a lot of sad MtGox users who feel the same way.

I'm embarrassed to admit that the second I saw something about Poloniex being hacked I immediately attempted a withdrawal of my BTC from there. They are now "stuck in limbo" but I assume that they will show back up again once you have reversed the attempted transactions?

This is a truly great idea. I could only offer one expansion. Rather than making it internal, perhaps a group of us could put together an insurance package and market it to exchanges and such. Then it's completely third party, eliminating one layer of trust.

the shills are rife today else i am in the land of mindless fckwits

Next you will be suggesting derivatives on the insurance losses ffs

I ain't no fuckin' shill. The closest I come is my sig, and I do business with those people.

Insurance is not a scam. REGULATED insurance IS. I'm getting old, so I remember when it wasn't regulated on automobile insurance. As soon as they bought some senators to "save money for responsible people" the rates rose over 5 times.

But insurance in and of itself is a good idea. It mitigates risk, and in so doing promotes trade. An exchange that had deposit insurance from a reputable and transparent insurance agency would attract more business than one that don't.

If such instruments do not appear in the crypto world, it will have its growth stunted. If we want mainstream adoption, then there are things like insurance houses and loan companies that will have to exist.

What I don't want to see is such entities being regulated by governments, because that will kill the coin in short order. You'll have taxes and regulations and oversight and ad nauseam. But a few insurance pools? That's a whole 'nother animal. So long as the insurance is voluntary, either paid by the exchange holder or the individual investor, then it's not only not a problem, it should encourage trade. Yes, there is some moral hazard there, but we need some risk takers to build the economy. As big as it's gotten, bitcoin is still small potatoes compared to most fiat currencies. We can build on the good models and ditch the bad ones. Some things are inherent to markets, and risk mitigation is one of them. Given the public ledger, it's unlikely that an insurance agent could take the bag and run. Any such company would have to identify themselves to the public, or only fools would pay. This would garner a level of accountability and trust that's sorely needed in the public exchanges.

[negritaman]

Kudos for being transparent about the problems with your exchange. I know that some people doubted you at first when the XCP was stolen, but that turned out to not be your fault. Now when it actually is the fault of your exchange you are immediately holding your hand up. That takes courage and shows your integrity!  

I agree with all the previous posters here who have suggested that you sell some shares of your exchange instead of dramatically raising the fees across the board.

I know that a lot of people don't like https://cryptostocks.com/ but I think that has more to do with the projects/companies that are listed there than the actual exchange itself. It would be an easy and quick way to raise the money needed to re-pay what was stolen, and your users wouldn't be forced to take a loss.

Raising the fees to 1,5% is only going to hurt the exchange IMO, even if it's temporary. Perhaps you could increase them 50% from the current level, but increasing them to 1,5% is really a lot!

I have another suggestion.

It's kind of depending on if you follow through with the idea of doing an IPO or not, but I think it's something worth considering if you do.

How about raising enough money to create an "insurance fund" that will be available for those users who are willing to accept a slightly higher trading fee than uninsured users?

You would keep this fund in cold storage and it would be completely transparent on the blockchain for everyone to verify. It would only be used to reimburse those accounts that had paid the higher trading fee in case of another hack of the exchange. By making it voluntary it doesn't hurt anyone who doesn't want to pay the extra fee, and as the income from the insurance premiums increase so will the level of insurance. This will make Poloniex the first exchange where user funds are insured. Perhaps you could even make the funds on that cold storage account multisignature with 2 trusted members from the community, that way anyone who doubts your integrity will feel a lot safer as well...

I know that I would certainly be willing to pay a slightly higher fee to sleep a little better knowing that even if you are hacked again at least I will get reimbursed, and I'm sure there are a lot of sad MtGox users who feel the same way.

I'm embarrassed to admit that the second I saw something about Poloniex being hacked I immediately attempted a withdrawal of my BTC from there. They are now "stuck in limbo" but I assume that they will show back up again once you have reversed the attempted transactions?

This is a truly great idea. I could only offer one expansion. Rather than making it internal, perhaps a group of us could put together an insurance package and market it to exchanges and such. Then it's completely third party, eliminating one layer of trust.

the shills are rife today else i am in the land of mindless fckwits

Next you will be suggesting derivatives on the insurance losses ffs

I ain't no fuckin' shill. The closest I come is my sig, and I do business with those people.

Insurance is not a scam. REGULATED insurance IS. I'm getting old, so I remember when it wasn't regulated on automobile insurance. As soon as they bought some senators to "save money for responsible people" the rates rose over 5 times.

But insurance in and of itself is a good idea. It mitigates risk, and in so doing promotes trade. An exchange that had deposit insurance from a reputable and transparent insurance agency would attract more business than one that don't.

If such instruments do not appear in the crypto world, it will have its growth stunted. If we want mainstream adoption, then there are things like insurance houses and loan companies that will have to exist.

What I don't want to see is such entities being regulated by governments, because that will kill the coin in short order. You'll have taxes and regulations and oversight and ad nauseam. But a few insurance pools? That's a whole 'nother animal. So long as the insurance is voluntary, either paid by the exchange holder or the individual investor, then it's not only not a problem, it should encourage trade. Yes, there is some moral hazard there, but we need some risk takers to build the economy. As big as it's gotten, bitcoin is still small potatoes compared to most fiat currencies. We can build on the good models and ditch the bad ones. Some things are inherent to markets, and risk mitigation is one of them. Given the public ledger, it's unlikely that an insurance agent could take the bag and run. Any such company would have to identify themselves to the public, or only fools would pay. This would garner a level of accountability and trust that's sorely needed in the public exchanges.

I take it back bud, but when I see those promoting mechanisms that smack of fractional reserve abuse I get a bit hot under the collar.

IF an exchange is serious they will make sure there is a rain day fund to cover this sort of thing, they could even use it as a promotional positive aspect and list the insurance fund in an open manner but should there be situation of two tier trading where some given a leg up because of circumstance ( ie existing wealth in fiat ) while others actually have to mine for value then I would not be recommending that and would not like to see it be implemented.

All central banks run a policy of issuing debt not credit and they are subject to terminal failure by design, if you charge someone to print notes for them, where does the value come from to pay the debt if you need to pay fee's to access the paper to pay it off. We are better off thinking up new mechanisms that enable us to retain control of what we have worked for than to just change the symbol in front of the digits and its business usual.

http://perfecteconomy.com/wp/

How it could be applied to crypto is anyones guess but here is a better way than fractional reserve, I know Mike personally and although his people skills could do with a polish the concept is sound.

We need less lawyers, tax collectors, accountants, solicitors, notaries ect and a hell of a lot more trust and respect for each other else whats the point ?

 

[turboblade]

If coinmarket is suffering from similar issues but is really bad at PR then its all good lads, both markets have shown promise and i would, despite my previous rants like to see both move forwards better and stronger.

In the meantime perhaps the group known as annonymous would consider digging out those trying to destroy the credibility of the coin exchanges and have a quiet word in their shell like and maybe empty thier wallets to enable those without food on the table to get by a bit better where therse are no opportunities such as we have here.

If annonymous is truly the internet version of the A team and you can find them and hire them i would really like to see a plan come together, I am just a little man and this shit is way above my head.

+1 to Poloniex for biting the bullet and being straight up with us

I don't see how they are being straight up. Where are our deposits.

You mean you attempted to send coins to a paused trading engine without realising the site was down bud ? In the first description of the problem there was a suggestion that pending transactions would be reset for the resumption of trading.

If you had stuff on deposit then you will have to wait because the engine was shut down to an exploit, its inconvinient but I am not doubting the sincerity of the people running the two exchanges, I hope they just don't say fuckit and throw the towel in as it would be a mutual loss.

Correct me if im wrong but where exactly does it say please don't make any btc deposits. They will happily take them, just not credit them to my account

[timmmers]

I can't help thinking that some kind of agreement between entities like exchanges and wallets to blacklist addresses and make conversion harder would help. Not much point in stealing BTC if you can't exchange it to currency. We're all sitting here able to watch that guy move his ill gotten gains around, we see all the wallet addresses, if they were blacklisted, what could he do with it?

[ryback]

i deposit 5 btc 1 hour ago and what next?
my btc are frozen in network
and where exactly does it say please don't make any btc deposits!!!!!

[Biomech]

Kudos for being transparent about the problems with your exchange. I know that some people doubted you at first when the XCP was stolen, but that turned out to not be your fault. Now when it actually is the fault of your exchange you are immediately holding your hand up. That takes courage and shows your integrity!  

I agree with all the previous posters here who have suggested that you sell some shares of your exchange instead of dramatically raising the fees across the board.

I know that a lot of people don't like https://cryptostocks.com/ but I think that has more to do with the projects/companies that are listed there than the actual exchange itself. It would be an easy and quick way to raise the money needed to re-pay what was stolen, and your users wouldn't be forced to take a loss.

Raising the fees to 1,5% is only going to hurt the exchange IMO, even if it's temporary. Perhaps you could increase them 50% from the current level, but increasing them to 1,5% is really a lot!

I have another suggestion.

It's kind of depending on if you follow through with the idea of doing an IPO or not, but I think it's something worth considering if you do.

How about raising enough money to create an "insurance fund" that will be available for those users who are willing to accept a slightly higher trading fee than uninsured users?

You would keep this fund in cold storage and it would be completely transparent on the blockchain for everyone to verify. It would only be used to reimburse those accounts that had paid the higher trading fee in case of another hack of the exchange. By making it voluntary it doesn't hurt anyone who doesn't want to pay the extra fee, and as the income from the insurance premiums increase so will the level of insurance. This will make Poloniex the first exchange where user funds are insured. Perhaps you could even make the funds on that cold storage account multisignature with 2 trusted members from the community, that way anyone who doubts your integrity will feel a lot safer as well...

I know that I would certainly be willing to pay a slightly higher fee to sleep a little better knowing that even if you are hacked again at least I will get reimbursed, and I'm sure there are a lot of sad MtGox users who feel the same way.

I'm embarrassed to admit that the second I saw something about Poloniex being hacked I immediately attempted a withdrawal of my BTC from there. They are now "stuck in limbo" but I assume that they will show back up again once you have reversed the attempted transactions?

This is a truly great idea. I could only offer one expansion. Rather than making it internal, perhaps a group of us could put together an insurance package and market it to exchanges and such. Then it's completely third party, eliminating one layer of trust.

the shills are rife today else i am in the land of mindless fckwits

Next you will be suggesting derivatives on the insurance losses ffs

I ain't no fuckin' shill. The closest I come is my sig, and I do business with those people.

Insurance is not a scam. REGULATED insurance IS. I'm getting old, so I remember when it wasn't regulated on automobile insurance. As soon as they bought some senators to "save money for responsible people" the rates rose over 5 times.

But insurance in and of itself is a good idea. It mitigates risk, and in so doing promotes trade. An exchange that had deposit insurance from a reputable and transparent insurance agency would attract more business than one that don't.

If such instruments do not appear in the crypto world, it will have its growth stunted. If we want mainstream adoption, then there are things like insurance houses and loan companies that will have to exist.

What I don't want to see is such entities being regulated by governments, because that will kill the coin in short order. You'll have taxes and regulations and oversight and ad nauseam. But a few insurance pools? That's a whole 'nother animal. So long as the insurance is voluntary, either paid by the exchange holder or the individual investor, then it's not only not a problem, it should encourage trade. Yes, there is some moral hazard there, but we need some risk takers to build the economy. As big as it's gotten, bitcoin is still small potatoes compared to most fiat currencies. We can build on the good models and ditch the bad ones. Some things are inherent to markets, and risk mitigation is one of them. Given the public ledger, it's unlikely that an insurance agent could take the bag and run. Any such company would have to identify themselves to the public, or only fools would pay. This would garner a level of accountability and trust that's sorely needed in the public exchanges.

I take it back bud, but when I see those promoting mechanisms that smack of fractional reserve abuse I get a bit hot under the collar.

IF an exchange is serious they will make sure there is a rain day fund to cover this sort of thing, they could even use it as a promotional positive aspect and list the insurance fund in an open manner but should there be situation of two tier trading where some given a leg up because of circumstance ( ie existing wealth in fiat ) while others actually have to mine for value then I would not be recommending that and would not like to see it be implemented.

All central banks run a policy of issuing debt not credit and they are subject to terminal failure by design, if you charge someone to print notes for them, where does the value come from to pay the debt if you need to pay fee's to access the paper to pay it off. We are better off thinking up new mechanisms that enable us to retain control of what we have worked for than to just change the symbol in front of the digits and its business usual.

http://perfecteconomy.com/wp/

How it could be applied to crypto is anyones guess but here is a better way than fractional reserve, I know Mike personally and although his people skills could do with a polish the concept is sound.

We need less lawyers, tax collectors, accountants, solicitors, notaries ect and a hell of a lot more trust and respect for each other else whats the point ?

 

Haven't followed the link yet, so no comment so far . As to fractional reserve, we are on the same page. I'm a student of the Austrian school of economics. While insurance can be abused, it's not fractional reserve in any sense.

I'm running low on caffeine, so I'll leave it at that for now. No offense taken, other than the shill remark. I'll sell shit, but I won't hide it or mount a pretense. I'm far too arrogant for such tactics

[duazo]

So let me get this straight.

You got hacked because your system was faulty and didn't check for negative balances.
You have no money to reimburse your users so you're going to deduct a percentage of everyone's BTC.
You're then going to make this money back by temporarily increasing trading fees which your users will incur whilst using the site.

10/10 top ruse

But there's a big difference between everyone with balances on the exchange losing 12% and increasing fees for a while. If everyone loses 12%, then that's something that's happened to them without any knowledge of it. They're an innocent victim. If he raises the fees, however, then anyone trading will be aware of this, and it's their decision whether they choose to pay the 1.5% fee or not. It's completely fair.

[duazo]

(copy from my post on Reddit)

I understand that the updates to users' balances in the database are not of the atomic-test-and-set kind.
The workaround that the site owner says will implement is still allowing for parallel operations, although now the operations will test the balance first.
IMO that is not good enough. You need atomic test-and-set, point. Without it you'll have other race conditions and it is just a matter of time until next vulnerability is found no matter how good you think you have mitigated the problem today.

I think you're misunderstanding. That's just his temporary hotfix. He said that he will be adding atomicity to the entire withdrawal process (not just the balance in the database) as the long-term solution.

[duazo]

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.


This is pathetic. Any programmers would not have allowed this to happen in the first place. It's basic programming level. If you have 2 BTC, withdraw 10 BTC, then "withdrawal rejected due to lack of funds."

I think you've misunderstood. The problem wasn't that it didn't check for negative balance. If you had 2 BTC, it would not let you withdraw a single amount of 10 BTC. The problem was that the withdrawals did not have atomicity, meaning that you could withdraw 10 BTC from a balance of 2 BTC by spamming lots of withdrawals for 1 BTC in a very short space of time.

[iampingu]

This is more of a successful scam than good old gox.

Nobody seems to care?

[turboblade]

i deposit 5 btc 1 hour ago and what next?
my btc are frozen in network
and where exactly does it say please don't make any btc deposits!!!!!

+1

[EuroTrash]

BTW: this is the by-the-book definition of a bail-in. Isn't it ironic?

[arielbit]

thieving can be detected like this..mt gox lost so many, unbelievable..

[odotan]

I was not aware of this theft, and I stupidly sent in 10 BTC about 7 hours after your twitter announcement

https://blockchain.info/address/16CBhYouzdB4xgxeZ76RjF8wBRimtvMB2k

https://twitter.com/Poloniex/status/440734781689446400

I expect to get the entire 10BTC balance back, and NOT 12.3% less, as I would've expected you to block deposits as well, or at least put up a sign on the front page of the site waring about the hack.

Please confirm that you agree and will do so. Thank you.