I think you have misunderstood.
No one is saying that the operator of Poloniex was warned about his poor programming ability before his exchange was hacked. That would be impossible since no one has seen the code.
The only reason that anyone is able to accuse Poloniex's operator of not knowing what they are doing code-wise is due to the explanation of the root cause — multiple in-flight database transactions all being allowed to go through resulting in negative account balance.
After that revelation, many people warned that this level of ability is not sufficient to run something that is managing other people's money. For that reason it was suggested it should shut down, or at least hire competent developers to perform an an audit and provide ongoing development.
There has been no indication that Poloniex has hired more skilled developers, done a code audit or any of that.
Once again, no one is suggesting that Poloniex was warned of this problem before it was actually exploited. That would be impossible. The issue is that it hasn't been mitigated — nothing's actually been fixed (apparently)! The warnings have been ignored.
Gotcha. Thanks for the explanation. I did read that as "he was warned" and my response was "Yeah, after it happened?"
I also run an exchange. We coded everything internally. I personally have been writing code for about 15 years. While the mistake poloniex made was a bad one (you check balances at every step) people are not infallable. There is always someone out there smarter than you, faster than you, trickier than you.
The claim that he didnt prove he hired a competent programmer is, again, disingenuous. There is no such thing as a programmer you can hire that can make you hack proof. I used to work for an IT company that was poor, and it was the most amazing job ever. We have $57 and need a new mail server. Go. And I rocked that.
Then we got money and grants and it was here's a $25,000 grant, we need a new fileserver, go. So I went, and said we can do it for $5k, and I was told no, we need to hire a competent company to oversee the project.
Nevermind the fact I could save them $20,000, nevermind the fact I had more years experience than the company we hired was in business, nevermind the fact that what they wound up with was a slow, bloated system with a $6,000 a year maintenance agreement on top of the $25k they spent...
People seem to think that throwing money at a problem makes a better product.
I personally code AllCrypt.com - and "it's a homemade piece of junk". But I could contract myself out at $200 an hour and someone pays me $20k to make an exchange for them and slap a "Built by CyberSystems Security and Code" label on it, and wow, it's such a well made system.
Money doesn't fix problems. Money makes you feel better that there are no problems, when no one, NO ONE, is infallible and there is ALWAYS a hacker out there who's better than you, or better than the money you spent.
We got hacked. Because I had a stupid typo in one of the files (a 'are you logged in as the user that this email change request was for' always evaluated true). Someone who was a lot more inventive than I was found it. It wasnt an error, it wasn't poor database coding, it wasn't something that would even be seen on a security scan or site checkout. It was someone, who intended to steal coins, tried to do, thinking "Hmm lets try this" - and found the hole.
It does not mean that the site was poorly made. It does not mean that I'm an idiot who cannot be trusted. It does not mean that if I throw $10,000 at someone the site will magically be better.
It means a human mistake was made a a tricky bastard found it. We fixed it, we were back up in less than 48 hours, and as a result did another security audit and tightened up other areas just to be sure. I'm glad the hack happened how and when it did. We were open and honest about it. Thats what matters.
Berating someone for doing the right thing (in SO many ways) and then saying their site is crap because they didn't throw a pile of money at someone to make you feel better is just absurd.
Target was recently the victim of a huge credit card hack. I will admit I don't know all the details, too busy to read it all, but last I heard they thought it was an inside job. Will you never shop there again because they didnt fire everyone and pay a company millions to do a security audit of every person working there?
Of course not. A bad thing happened, Target apologized, did what they could to make it right, and moved forward.
Bashing Poloniex because they made a mistake, and then didnt throw money around (that should be used to pay back losses, mind you) is just stupid. And if they DID spend $20k to "hire a competent programmer" - the cries of "You should have paid us back with that money!!!" would have been insane.
I'm all about transparency and integrity. I think Poloniex went above and beyond in that department. They are the first (not only - we followed in their footsteps) exchange to have an issue and publicly admit fault, admit what happened, and assist other exchanges in making sure they didnt make the same mistake.
That alone should garner more trust than any bag of money thrown at a "competent programmer".
