BTC Stolen from Poloniex

[Shimini]

Today, about 12.3% of the BTC on Poloniex was stolen.

I take full responsibility for this and am committed to repaying the debt of BTC

So you take "full responsibility", but at the same time you let your customers pay for the loss? Hmmmmm.................

[1715302428]

1715302428

[1715302428]

1715302428

[kronicblazer]

I wake up and found out ALL my exchange sites and email got hacked around 4 hours ago... lost like 95% of my BTC(wallets are safe).... funny thing is poloniex.com is the only site that still has some coins left(BTC gone, but some other coins still there), i guess because of the frozen market... hopefully I can get rest of coins from here because my password has been changed, and I think I am still logged in because I did not close browser yet... dont know how long I will be remained signed in..... every other site(ones that are still logged in and I can see), all alt coins sold and BTC withdrawn, other sites I cant even log in anymore.

So a few questions...
is this all related or did I just happen to get hacked at this time?
how did all my online sites get hacked at same time?, wallets are safe...
is my wallets actually safe? do I need to reformat my computer right away? just main drive or all drives?
how was I hacked in the first place? what can I do to prevent this in future?

This sucks so fuckin much... I wake up to see LTC spike up alot, go try and sell some and find out... all my exchanges are empty or password changed... email password was changed... I spent the last 4 months fully dedicated to cryptos and now im worse off than when I started... not even from bad trading, but from hacks... this really fuckin sucks  

[deuteragenie]

my few c

1. select for update to lock selects, then update the btc value, in a transaction.

There are many others like hashing and triggers to validate data, and to ensure sql injection if happens can be discovered easily.

Update set new value=old value - difference is more efficient and locks the row with resorting to the lock you mention.  Add a check constraint on table.

[Warren]

Kudos for being transparent about the problems with your exchange. I know that some people doubted you at first when the XCP was stolen, but that turned out to not be your fault. Now when it actually is the fault of your exchange you are immediately holding your hand up. That takes courage and shows your integrity!  

I agree with all the previous posters here who have suggested that you sell some shares of your exchange instead of dramatically raising the fees across the board.

I know that a lot of people don't like https://cryptostocks.com/ but I think that has more to do with the projects/companies that are listed there than the actual exchange itself. It would be an easy and quick way to raise the money needed to re-pay what was stolen, and your users wouldn't be forced to take a loss.

Raising the fees to 1,5% is only going to hurt the exchange IMO, even if it's temporary. Perhaps you could increase them 50% from the current level, but increasing them to 1,5% is really a lot!

I have another suggestion.

It's kind of depending on if you follow through with the idea of doing an IPO or not, but I think it's something worth considering if you do.

How about raising enough money to create an "insurance fund" that will be available for those users who are willing to accept a slightly higher trading fee than uninsured users?

You would keep this fund in cold storage and it would be completely transparent on the blockchain for everyone to verify. It would only be used to reimburse those accounts that had paid the higher trading fee in case of another hack of the exchange. By making it voluntary it doesn't hurt anyone who doesn't want to pay the extra fee, and as the income from the insurance premiums increase so will the level of insurance. This will make Poloniex the first exchange where user funds are insured. Perhaps you could even make the funds on that cold storage account multisignature with 2 trusted members from the community, that way anyone who doubts your integrity will feel a lot safer as well...

I know that I would certainly be willing to pay a slightly higher fee to sleep a little better knowing that even if you are hacked again at least I will get reimbursed, and I'm sure there are a lot of sad MtGox users who feel the same way.

I'm embarrassed to admit that the second I saw something about Poloniex being hacked I immediately attempted a withdrawal of my BTC from there. They are now "stuck in limbo" but I assume that they will show back up again once you have reversed the attempted transactions?

[Bit_Happy]

I would leave the fees much lower, especially since you already "covered" the money.

[kuperis]

I like poloniex everyday more and more, that mine second exchange after btce, i like how busoni managing with all problems. I'm Support !

[maardein]

Wow, this sucks, but I'm glad you are being honest.

[negritaman]

If coinmarket is suffering from similar issues but is really bad at PR then its all good lads, both markets have shown promise and i would, despite my previous rants like to see both move forwards better and stronger.

In the meantime perhaps the group known as annonymous would consider digging out those trying to destroy the credibility of the coin exchanges and have a quiet word in their shell like and maybe empty thier wallets to enable those without food on the table to get by a bit better where there are no opportunities such as we have here.

If annonymous is truly the internet version of the A team and you can find them and hire them i would really like to see a plan come together, I am just a little man and this shit is way above my head.

+1 to Poloniex for biting the bullet and being straight up with us

[turboblade]

If coinmarket is suffering from similar issues but is really bad at PR then its all good lads, both markets have shown promise and i would, despite my previous rants like to see both move forwards better and stronger.

In the meantime perhaps the group known as annonymous would consider digging out those trying to destroy the credibility of the coin exchanges and have a quiet word in their shell like and maybe empty thier wallets to enable those without food on the table to get by a bit better where therse are no opportunities such as we have here.

If annonymous is truly the internet version of the A team and you can find them and hire them i would really like to see a plan come together, I am just a little man and this shit is way above my head.

+1 to Poloniex for biting the bullet and being straight up with us

I don't see how they are being straight up. Where are our deposits.

[D05GTO]

Craziness, why use these badly coded exchanges that rip people off.  The right thing to do would be returning the 12.3% that was taken from everyone.  People.. you just took a 12% haircut for their mistake.  I don't care what anyone says but taking peoples money is wrong.

Wake up!  use a Registered exchange that is transparent and will always do the right thing.  


Use Atomic-Trade.

[negritaman]

If coinmarket is suffering from similar issues but is really bad at PR then its all good lads, both markets have shown promise and i would, despite my previous rants like to see both move forwards better and stronger.

In the meantime perhaps the group known as annonymous would consider digging out those trying to destroy the credibility of the coin exchanges and have a quiet word in their shell like and maybe empty thier wallets to enable those without food on the table to get by a bit better where therse are no opportunities such as we have here.

If annonymous is truly the internet version of the A team and you can find them and hire them i would really like to see a plan come together, I am just a little man and this shit is way above my head.

+1 to Poloniex for biting the bullet and being straight up with us

I don't see how they are being straight up. Where are our deposits.

You mean you attempted to send coins to a paused trading engine without realising the site was down bud ? In the first description of the problem there was a suggestion that pending transactions would be reset for the resumption of trading.

If you had stuff on deposit then you will have to wait because the engine was shut down to an exploit, its inconvinient but I am not doubting the sincerity of the people running the two exchanges, I hope they just don't say fuckit and throw the towel in as it would be a mutual loss.

[billotronic]

Well this is a shitty thing to wake up to.

throw up a donations address

@Warren interesting idea about the insurance fund... make it like bitfinex but actually work!

[discobean]

my few c

1. select for update to lock selects, then update the btc value, in a transaction.

There are many others like hashing and triggers to validate data, and to ensure sql injection if happens can be discovered easily.

Update set new value=old value - difference is more efficient and locks the row with resorting to the lock you mention.  Add a check constraint on table.

Without a select lock validation can't occur properly in the business logic checking they have enough available.  Agree you mentioned the constraint, but select lock is a good practice in many instances in validation (btc transfers between accounts wouldn't work with your method), not just this one.

Depending on which DB you are using, the efficiency is the same, as the row is locked for an update anyway.  And only 1 user will generally be accessing their BTC values at any one time.

[Shimini]

So this flaw looks like it was a relative easy one. How can you secure peoples money in the future? Are there more vulnerable parts in your programming that allows another theft? You probably are too short of money now to pay professionals to fix your issue. How can you assure security in the future?
Will people REALLY trust your code now, that it was proven to be extremely weak?

[jmclarty]

Make these debt instruments trade able, issue them with an annual coupon of 30%, and the market would bid them up to likely 15% or 10%. 

Victims here would turn into investors, who would likely see an instant PROFIT.

This would also give you a means to issue more debt, after you know your cost of capital (that the market is willing to lend to you at) and allow you to invest in security/marketing/etc.

(To understand how this is likely the guaranteed outcome, one would need to understand how bonds move inverse to interest rates.)

[EuroTrash]

(copy from my post on Reddit)

I understand that the updates to users' balances in the database are not of the atomic-test-and-set kind.
The workaround that the site owner says will implement is still allowing for parallel operations, although now the operations will test the balance first.
IMO that is not good enough. You need atomic test-and-set, point. Without it you'll have other race conditions and it is just a matter of time until next vulnerability is found no matter how good you think you have mitigated the problem today.

[negritaman]

Well this is a shitty thing to wake up to.

throw up a donations address

@Warren interesting idea about the insurance fund... make it like bitfinex but actually work!

How about those who have lost some bitcoin and are waiting to have it recovered and returned get to mine for free untill the balance is restored, each trade would chip a little off the owed balance. That would go be an honourable damage limitation exercise, those who are not effected by the hack or had no BTC at the time, they continue trading and the fee's they pay will go towards keeping the exchanges head above water. Its less money for the exchange in the short term but its meeting somewhere in the middle of taking deposits and addressing the imbalance of stolen BTC.

We should all share the risk of a new adventure and not put too many straws on the camels back else it might break.

[Majormax]

Thanks for the details in this thread...  (I have 1.2 BTC in my account at Poloniex).

My opinion FWIW...I would suggest a haircut or an increase in fees, but not both. Best to deduct 12.% from BTC and get it done. Keep a permanent record of those who lost , and if you feel rich in future then you can pay something back: don't put it on the table now.

[D05GTO]

Yeah, share all the risk but none the profits of that business.   Sounds wonderful. LOL

[negritaman]

Kudos for being transparent about the problems with your exchange. I know that some people doubted you at first when the XCP was stolen, but that turned out to not be your fault. Now when it actually is the fault of your exchange you are immediately holding your hand up. That takes courage and shows your integrity!  

I agree with all the previous posters here who have suggested that you sell some shares of your exchange instead of dramatically raising the fees across the board.

I know that a lot of people don't like https://cryptostocks.com/ but I think that has more to do with the projects/companies that are listed there than the actual exchange itself. It would be an easy and quick way to raise the money needed to re-pay what was stolen, and your users wouldn't be forced to take a loss.

Raising the fees to 1,5% is only going to hurt the exchange IMO, even if it's temporary. Perhaps you could increase them 50% from the current level, but increasing them to 1,5% is really a lot!

I have another suggestion.

It's kind of depending on if you follow through with the idea of doing an IPO or not, but I think it's something worth considering if you do.

How about raising enough money to create an "insurance fund" that will be available for those users who are willing to accept a slightly higher trading fee than uninsured users?

You would keep this fund in cold storage and it would be completely transparent on the blockchain for everyone to verify. It would only be used to reimburse those accounts that had paid the higher trading fee in case of another hack of the exchange. By making it voluntary it doesn't hurt anyone who doesn't want to pay the extra fee, and as the income from the insurance premiums increase so will the level of insurance. This will make Poloniex the first exchange where user funds are insured. Perhaps you could even make the funds on that cold storage account multisignature with 2 trusted members from the community, that way anyone who doubts your integrity will feel a lot safer as well...

I know that I would certainly be willing to pay a slightly higher fee to sleep a little better knowing that even if you are hacked again at least I will get reimbursed, and I'm sure there are a lot of sad MtGox users who feel the same way.

I'm embarrassed to admit that the second I saw something about Poloniex being hacked I immediately attempted a withdrawal of my BTC from there. They are now "stuck in limbo" but I assume that they will show back up again once you have reversed the attempted transactions?

First its an insurance fund, then its a policy, then civil servants start stepping in and the whole thing is banjaxed and we are back were we started from without even benefits of paper fiat.We need to find better ways and the fee's charged should be sufficient to conver this sort of thing if the exchange owners were serious about running a decent exchange.                            


What you are proposing is a two tier elite trading system and insurance is one of the biggest scams out there, nearly as dodgy as pension funds. I personally would NOT like to see what you are suggesting become commonplace, it smacks of NWO philosophy and we don't need that shit here.

Are you a shill or just dumb enough to make the same mistakes in a new format of perceived value.