Bitcoin Forum
November 11, 2024, 08:44:42 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 »
  Print  
Author Topic: BTC Stolen from Poloniex  (Read 167461 times)
coinnewbit
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250



View Profile
March 04, 2014, 03:30:47 PM
 #181

Wow, I really hope the thief gets a good dose of karma
elmad
Member
**
Offline Offline

Activity: 119
Merit: 10


View Profile
March 04, 2014, 03:37:32 PM
 #182

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.


This is pathetic. Any programmers would not have allowed this to happen in the first place. It's basic programming level. If you have 2 BTC, withdraw 10 BTC, then "withdrawal rejected due to lack of funds."

I think you've misunderstood. The problem wasn't that it didn't check for negative balance. If you had 2 BTC, it would not let you withdraw a single amount of 10 BTC. The problem was that the withdrawals did not have atomicity, meaning that you could withdraw 10 BTC from a balance of 2 BTC by spamming lots of withdrawals for 1 BTC in a very short space of time.

And this is very silly... Running an exchange without to know transactions and atomicity...

Busoni, if you want to continue this business, pay some serious programmer to review all your transactions code. This is more important than that 12.3% .

Good work and good luck
Shimini
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
March 04, 2014, 03:46:44 PM
 #183

No way somebody can trust an exchange that has been proven weak.
Pay your debts, close your exchange -and search for a regular job. Poloniex is burned now.
uygar2580
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
March 04, 2014, 03:48:41 PM
 #184

any eta from now to open market again ?
InsanityDev
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
March 04, 2014, 03:54:29 PM
 #185

No way somebody can trust an exchange that has been proven weak.
Pay your debts, close your exchange -and search for a regular job. Poloniex is burned now.

Yes let's all move to a new exchange which isn't transparent so we can all get burned with no come back. Great Idea.

Bussoni, keep up the good work and transparency, and send me a BTC address, I'll contribute something from my personal holdings Smiley

jtpeters
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
March 04, 2014, 03:55:23 PM
 #186

Why is there no notice on the Poloniex website of this? Did I miss it?
sabyd
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
March 04, 2014, 03:56:53 PM
 #187

BUT I CAN WITHDRAW NOW OR NOT???
uygar2580
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
March 04, 2014, 03:57:00 PM
 #188

Why is there no notice on the Poloniex website of this? Did I miss it?

Notice was on twitter box, right side of site.
kneim
Legendary
*
Offline Offline

Activity: 1666
Merit: 1000


View Profile
March 04, 2014, 04:00:23 PM
 #189

Thanks for the honest and transparent information, and the reasonable decisions.

I'm not yet on your platform, but will try soon.

stereotype
Legendary
*
Offline Offline

Activity: 1554
Merit: 1000



View Profile
March 04, 2014, 04:01:16 PM
 #190

busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.

Please do the right thing and refund everyones outstanding balances, then wind up your operation.
Appreciate your input Mike, and understand why.

I think talk of databases would be lost on who it was intended for. But the way Busconi communicated the info should be the start of a template, yes?
The One
Legendary
*
Offline Offline

Activity: 924
Merit: 1000



View Profile
March 04, 2014, 04:02:34 PM
 #191

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.


This is pathetic. Any programmers would not have allowed this to happen in the first place. It's basic programming level. If you have 2 BTC, withdraw 10 BTC, then "withdrawal rejected due to lack of funds."

I think you've misunderstood. The problem wasn't that it didn't check for negative balance. If you had 2 BTC, it would not let you withdraw a single amount of 10 BTC. The problem was that the withdrawals did not have atomicity, meaning that you could withdraw 10 BTC from a balance of 2 BTC by spamming lots of withdrawals for 1 BTC in a very short space of time.

You made my point in bold above.....bad programming pure and simple. Spamming lots of withdrawals is irrelevant. The code should access one request at a time and each request to be completed before accepting another request.

Current balance - withdrawal request - request equal or less than balance = request accepted - withdrawal completed - new balance. Then repeat for each request. If there are many requests at the same time then only 1 request can be processed and others rejected.

..C..
.....................
........What is C?.........
..............
...........ICO            Dec 1st – Dec 30th............
       ............Open            Dec 1st- Dec 30th............
...................ANN thread      Bounty....................

steban
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
March 04, 2014, 04:04:27 PM
 #192

You are doing the right thing, and gives me more confidence on using your exchange. Sorry for the loss.
procrypto
Full Member
***
Offline Offline

Activity: 224
Merit: 100


Shitcoin Maximalist


View Profile
March 04, 2014, 04:06:39 PM
 #193

At least you have tried to respond in an open and transparent way, and your systems halted things early.

It's a shame it had to happen though, as this "withdrawal spam" attack is a known vulnerability of exchanges, and one you would've hoped they had already taken steps to avoid.
jtpeters
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
March 04, 2014, 04:07:50 PM
 #194

Why is there no notice on the Poloniex website of this? Did I miss it?

Notice was on twitter box, right side of site.

... and that's an official notice? A few words off to the side? This should be PLASTERED all over the header.
D05GTO
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250


View Profile
March 04, 2014, 04:11:45 PM
 #195

Why is there no notice on the Poloniex website of this? Did I miss it?

Notice was on twitter box, right side of site.

... and that's an official notice? A few words off to the side? This should be PLASTERED all over the header.

LOL, they are transparent but not that transparent it seems.


 
 
           ▄████▄
         ▄████████▄
       ▄████████████▄
     ▄████████████████▄
    ████████████████████      ▄█▄                 ▄███▄                 ▄███▄                 ▄████████████████▀   ▄██████████

  ▄▄▄▀█████▀▄▄▄▄▀█████▀▄▄▄     ▀██▄             ▄██▀ ▀██▄             ▄██▀ ▀██▄             ▄██▀                   ██
▄█████▄▀▀▀▄██████▄▀▀▀▄█████▄     ▀██▄         ▄██▀     ▀██▄         ▄██▀     ▀██▄         ▄██▀        ▄█▄          ▀██████████████▄
████████████████████████████       ▀██▄     ▄██▀         ▀██▄     ▄██▀         ▀██▄     ▄██▀          ▀█▀                        ██
 ▀████████████████████████▀          ▀██▄ ▄██▀             ▀██▄ ▄██▀     ▄█▄     ▀██▄ ▄██▀                                       ██
   ▀████████████████████▀              ▀███▀                 ▀███▀       ▀█▀       ▀███▀      ▄███████████████████████████████████▀
     ▀████████████████▀
       ▀████████████▀
         ▀████████▀
           ▀████▀
║║


║║
.
.

║║
██
║║
.
.

║║
██
║║
.
║║


║║
ShakinHandz
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250



View Profile
March 04, 2014, 04:16:46 PM
 #196

Love all the negativity in the forum. You guys are just great!

Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.

In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
jtpeters
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
March 04, 2014, 04:17:27 PM
 #197

Sorry, but I'm not buying any of this.

The thing with Gox setting a precedent is that each successive Goxer learns from the last.

I want to believe them, I really do. But I said the same thing about Coinmarket https://bitcointalk.org/index.php?topic=454186.msg5375246#msg5375246 and no one wanted to believe it could happen to their "favorite" exchange. It sounded like BS then and where is Coinmarket now? This doesn't mean that it's not possible for an exchange to get hacked. But I think we should TRUST NO ONE. Especially when they are anonymous.

Another exchange was "hacked" today. Nearly 900 BTC "lost". It just seems all too convenient.

Yes, it's more profitable on the long run to run and exchange instead of stealing customer funds. But if you can get away with stealing a little, why not? I'm not saying that is what happened here but who knows.
Chiptuner
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
March 04, 2014, 04:19:21 PM
 #198

When will restore input of coins?
jtpeters
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
March 04, 2014, 04:21:22 PM
 #199

Love all the negativity in the forum. You guys are just great!

Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.

In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.

A careful eye is far from negative. It is foolhardy to blindly trust what an anonymous person types on a computer.

Why should we automatically trust someone just because they put a few nice paragraphs together?

I want my BTC back as much as the next person but until I have 100% of it, I'm not buying it. I'd also be happy with a YouTube video from the founder explaining the situation, and further evidence of what happened.
DarkTrix
Sr. Member
****
Offline Offline

Activity: 532
Merit: 250


Keep - The privacy layer for Ethereum


View Profile
March 04, 2014, 04:21:57 PM
 #200

Hi Busoni,

As a response to your asking for information and ideas. I would like to suggest taking the shares and dividends route. Giving value back to your impacted customers will inevitably boost your reputation and trust in your exchange.

This will be more beneficial to Poloniex than you can imagine, and will resolve the issue in a relatively short space of time.

I would also suggest (from a programming background) hiring someone, potentially with these shares if they will accept them, to try and find holes in the security and strengthen the exchanges security. It is possible to do it yourself but sometimes when your head is stuck in the job it's difficult to notice these things. I do not have the skillset to be able to do this but there are people out there, professional security firms, who will make this extremely robust for a fee.

If you need any help communicating, or a point of contact if you are busy, myself and others have been informing people of the situation who weren't aware.

Ignore the negativity this is natural from such a situation and other "exchanges" have left a bitter taste of skepticism with people. Be the first to break this mold and you will find even more people come to the exchange.

I hope this helps

Darktrix

Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!