BTC Stolen from Poloniex

[coinnewbit]

Wow, I really hope the thief gets a good dose of karma

[1714803146]

1714803146

[1714803146]

1714803146

[elmad]

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.


This is pathetic. Any programmers would not have allowed this to happen in the first place. It's basic programming level. If you have 2 BTC, withdraw 10 BTC, then "withdrawal rejected due to lack of funds."

I think you've misunderstood. The problem wasn't that it didn't check for negative balance. If you had 2 BTC, it would not let you withdraw a single amount of 10 BTC. The problem was that the withdrawals did not have atomicity, meaning that you could withdraw 10 BTC from a balance of 2 BTC by spamming lots of withdrawals for 1 BTC in a very short space of time.

And this is very silly... Running an exchange without to know transactions and atomicity...

Busoni, if you want to continue this business, pay some serious programmer to review all your transactions code. This is more important than that 12.3% .

Good work and good luck

[Shimini]

No way somebody can trust an exchange that has been proven weak.
Pay your debts, close your exchange -and search for a regular job. Poloniex is burned now.

[uygar2580]

any eta from now to open market again ?

[InsanityDev]

No way somebody can trust an exchange that has been proven weak.
Pay your debts, close your exchange -and search for a regular job. Poloniex is burned now.

Yes let's all move to a new exchange which isn't transparent so we can all get burned with no come back. Great Idea.

Bussoni, keep up the good work and transparency, and send me a BTC address, I'll contribute something from my personal holdings

[jtpeters]

Why is there no notice on the Poloniex website of this? Did I miss it?

[sabyd]

BUT I CAN WITHDRAW NOW OR NOT???

[uygar2580]

Why is there no notice on the Poloniex website of this? Did I miss it?

Notice was on twitter box, right side of site.

[kneim]

Thanks for the honest and transparent information, and the reasonable decisions.

I'm not yet on your platform, but will try soon.

[stereotype]

busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.

Please do the right thing and refund everyones outstanding balances, then wind up your operation.

Appreciate your input Mike, and understand why.

I think talk of databases would be lost on who it was intended for. But the way Busconi communicated the info should be the start of a template, yes?

[The One]

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.


This is pathetic. Any programmers would not have allowed this to happen in the first place. It's basic programming level. If you have 2 BTC, withdraw 10 BTC, then "withdrawal rejected due to lack of funds."

I think you've misunderstood. The problem wasn't that it didn't check for negative balance. If you had 2 BTC, it would not let you withdraw a single amount of 10 BTC. The problem was that the withdrawals did not have atomicity, meaning that you could withdraw 10 BTC from a balance of 2 BTC by spamming lots of withdrawals for 1 BTC in a very short space of time.

You made my point in bold above.....bad programming pure and simple. Spamming lots of withdrawals is irrelevant. The code should access one request at a time and each request to be completed before accepting another request.

Current balance - withdrawal request - request equal or less than balance = request accepted - withdrawal completed - new balance. Then repeat for each request. If there are many requests at the same time then only 1 request can be processed and others rejected.

[steban]

You are doing the right thing, and gives me more confidence on using your exchange. Sorry for the loss.

[procrypto]

At least you have tried to respond in an open and transparent way, and your systems halted things early.

It's a shame it had to happen though, as this "withdrawal spam" attack is a known vulnerability of exchanges, and one you would've hoped they had already taken steps to avoid.

[jtpeters]

Why is there no notice on the Poloniex website of this? Did I miss it?

Notice was on twitter box, right side of site.

... and that's an official notice? A few words off to the side? This should be PLASTERED all over the header.

[D05GTO]

Why is there no notice on the Poloniex website of this? Did I miss it?

Notice was on twitter box, right side of site.

... and that's an official notice? A few words off to the side? This should be PLASTERED all over the header.

LOL, they are transparent but not that transparent it seems.

[ShakinHandz]

Love all the negativity in the forum. You guys are just great!

Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.

In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.

[jtpeters]

Sorry, but I'm not buying any of this.

The thing with Gox setting a precedent is that each successive Goxer learns from the last.

I want to believe them, I really do. But I said the same thing about Coinmarket https://bitcointalk.org/index.php?topic=454186.msg5375246#msg5375246 and no one wanted to believe it could happen to their "favorite" exchange. It sounded like BS then and where is Coinmarket now? This doesn't mean that it's not possible for an exchange to get hacked. But I think we should TRUST NO ONE. Especially when they are anonymous.

Another exchange was "hacked" today. Nearly 900 BTC "lost". It just seems all too convenient.

Yes, it's more profitable on the long run to run and exchange instead of stealing customer funds. But if you can get away with stealing a little, why not? I'm not saying that is what happened here but who knows.

[Chiptuner]

When will restore input of coins?

[jtpeters]

Love all the negativity in the forum. You guys are just great!

Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.

In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.

A careful eye is far from negative. It is foolhardy to blindly trust what an anonymous person types on a computer.

Why should we automatically trust someone just because they put a few nice paragraphs together?

I want my BTC back as much as the next person but until I have 100% of it, I'm not buying it. I'd also be happy with a YouTube video from the founder explaining the situation, and further evidence of what happened.

[DarkTrix]

Hi Busoni,

As a response to your asking for information and ideas. I would like to suggest taking the shares and dividends route. Giving value back to your impacted customers will inevitably boost your reputation and trust in your exchange.

This will be more beneficial to Poloniex than you can imagine, and will resolve the issue in a relatively short space of time.

I would also suggest (from a programming background) hiring someone, potentially with these shares if they will accept them, to try and find holes in the security and strengthen the exchanges security. It is possible to do it yourself but sometimes when your head is stuck in the job it's difficult to notice these things. I do not have the skillset to be able to do this but there are people out there, professional security firms, who will make this extremely robust for a fee.

If you need any help communicating, or a point of contact if you are busy, myself and others have been informing people of the situation who weren't aware.

Ignore the negativity this is natural from such a situation and other "exchanges" have left a bitter taste of skepticism with people. Be the first to break this mold and you will find even more people come to the exchange.

I hope this helps

Darktrix