BTC Stolen from Poloniex

[ShakinHandz]

Love all the negativity in the forum. You guys are just great!

Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.

In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.

A careful eye is far from negative. It is foolhardy to blindly trust what an anonymous person types on a computer.

Why should we automatically trust someone just because they put a few nice paragraphs together?

I want my BTC back as much as the next person but until I have 100% of it, I'm not buying it.

I think what we've seen from Mt.Gox where you have a very public figure like Mark is that you can't really trust anyone in this baby market. That being said anytime I move coins onto exchanges I know that I'm taking a risk irregardless of whether or not the person running the exchange is "anonymous".

Although I don't know if it's confirmed, I have seen the addresses of the attacker posted. That hasn't been confirmed by Busoni *yet*, but I would hope that information would come out soon.

Having coins on any online service is a gamble, don't gamble with more than you can afford to lose.

[1714611569]

1714611569

[1714611569]

1714611569

[sabyd]

SOMEONE COULD TELL ME IF I CAN WITHDRAW NOW OR NOT?
THANKS

[ShakinHandz]

SOMEONE COULD TELL ME IF I CAN WITHDRAW NOW OR NOT?
THANKS

You can't withdraw, thanks for reading the original post.

[jtpeters]

Hi Busoni,

As a response to your asking for information and ideas. I would like to suggest taking the shares and dividends route. Giving value back to your impacted customers will inevitably boost your reputation and trust in your exchange.

This will be more beneficial to Poloniex than you can imagine, and will resolve the issue in a relatively short space of time.

I would also suggest (from a programming background) hiring someone, potentially with these shares if they will accept them, to try and find holes in the security and strengthen the exchanges security. It is possible to do it yourself but sometimes when your head is stuck in the job it's difficult to notice these things. I do not have the skillset to be able to do this but there are people out there, professional security firms, who will make this extremely robust for a fee.

If you need any help communicating, or a point of contact if you are busy, myself and others have been informing people of the situation who weren't aware.

Ignore the negativity this is natural from such a situation and other "exchanges" have left a bitter taste of skepticism with people. Be the first to break this mold and you will find even more people come to the exchange.

I hope this helps

Darktrix

More evidence (detailed and specific) of the "outside theft" (if it actually occurred) should be required before we give more BTC away, don't you think?

Fool me once, shame on you. Fool me twice...

[jtpeters]

Love all the negativity in the forum. You guys are just great!

Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.

In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.

A careful eye is far from negative. It is foolhardy to blindly trust what an anonymous person types on a computer.

Why should we automatically trust someone just because they put a few nice paragraphs together?

I want my BTC back as much as the next person but until I have 100% of it, I'm not buying it.

I think what we've seen from Mt.Gox where you have a very public figure like Mark is that you can't really trust anyone in this baby market. That being said anytime I move coins onto exchanges I know that I'm taking a risk irregardless of whether or not the person running the exchange is "anonymous".

Although I don't know if it's confirmed, I have seen the addresses of the attacker posted. That hasn't been confirmed by Busoni *yet*, but I would hope that information would come out soon.

Having coins on any online service is a gamble, don't gamble with more than you can afford to lose.

Someone that is anonymous is more likely to consider/implement wrong-doing than someone who isn't, I think.

There are always exceptions, of course. But I'll take the law of assumed averages for the above statement any day.

[solid12345]

Guys, I want to vouch personally for Busoni, a week or two ago I had accidentally deposited .6 BTC into my PMC wallet by mistake on Polo. Busoni personally went out of the way to retrieve it for me, even coming to Bitcointalk to seek help on how to solve the issue. If he was a thief he could easily have said, "sorry there is no fix" and run off with it himself. I thought my money was lost but he came through and i'm sure he will come through again for everyone affected by this mess.

[jtpeters]

Guys, I want to vouch personally for Busoni, a week or two ago I had accidentally deposited .6 BTC into my PMC wallet by mistake on Polo. Busoni personally went out of the way to retrieve it for me, even coming to Bitcointalk to seek help on how to solve the issue. If he was a thief he could easily have said, "sorry there is no fix" and run off with it himself. I thought my money was lost but he came through and i'm sure he will come through again for everyone affected by this mess.

One anonymous poster vouching for another?

"If he was a thief he could easily have..." could apply to anyone before they do something wrong. But anyway.

It's a good exchange, sure. And I hope that all is the way that is said. I'm just suggesting that we not automatically assume that everything anonymous people say on the internet is true, especially when it comes to money.

[busoni]

I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

[Bansheroom]

Love all the negativity in the forum. You guys are just great!

Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.

In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.

Voting for the same: shares/dividend payments

and +1 for the rest of the post, couldnt have said it better.

edit: I would prefer option 3 oder 4 from the post above, always wanted to have shares from my favorite exchange so far before 
Lets make it a "reverse-steal" similar to the stackcoin reverse-scam 

[solid12345]

One anonymous poster vouching for another?

"If he was a thief he could easily have..." could apply to anyone before they do something wrong. But anyway.

It's a good exchange, sure. And I hope that all is the way that is said. I'm just suggesting that we not automatically assume that everything anonymous people say on the internet is true, especially when it comes to money.

You can check the thread history for him on here asking for help on how to retrieve BTC from a customer's wallet however, that is very real.

[ShakinHandz]

I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

Busoni, a few ppl in the box made a poll earlier. The link is here: https://bitcointalk.org/index.php?topic=500157.0

[duazo]

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.


This is pathetic. Any programmers would not have allowed this to happen in the first place. It's basic programming level. If you have 2 BTC, withdraw 10 BTC, then "withdrawal rejected due to lack of funds."

I think you've misunderstood. The problem wasn't that it didn't check for negative balance. If you had 2 BTC, it would not let you withdraw a single amount of 10 BTC. The problem was that the withdrawals did not have atomicity, meaning that you could withdraw 10 BTC from a balance of 2 BTC by spamming lots of withdrawals for 1 BTC in a very short space of time.

You made my point in bold above.....bad programming pure and simple. Spamming lots of withdrawals is irrelevant. The code should access one request at a time and each request to be completed before accepting another request.

Current balance - withdrawal request - request equal or less than balance = request accepted - withdrawal completed - new balance. Then repeat for each request. If there are many requests at the same time then only 1 request can be processed and others rejected.

I wasn't disagreeing that it's bad programming. Just clearing up the nature of the flaw.

[jtpeters]

Here's the way I see it. One of these is true. I hope it's the first one.

1) OP is 100% honest [great] <---- this is what we all want. But we don't always get to go to Disneyland, kids.

2) OP is partially honest [not bad, but still okay. Not a sign of theft. Theft is more clever and thought-out, like #3]

3) Impose a Cyprus-style "tax" on deposits. Suggest raising fees in order to make up the difference.

4)  Impose a Cyprus-style "tax" on deposits. Suggest raising fees in order to make up the difference, hoping that someone else (perhaps a friend) will suggest a share offering to get even more BTC [steal money, then get people to hand it over]

Once OP gives us more evidence and detail about what happened, #1 becomes more likely.

Openness, honesty, and transparency dictates an honest OP.

If this doesn't happen, or this post is shouted down (if organically or by friends of OP there's no way to know) then I think 4 is more likely.

[sundownz]

Dang... was hoping to sell my Q2C on Poloniex today.

[jtpeters]

[snips throughout[

it really wouldn't be fair to deduct deposits made after the BTC was taken.

Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

You have NOT posted a VERY VISIBLE post on your website. This means people are still unknowingly sending you money. I consider this dishonest.

Hiring a security programmer after this is dealt with? You need one NOW not later.

"it really wouldn't be fair to deduct deposits made after the BTC was taken."... why not?

[Bansheroom]

Busoni, a few ppl in the box made a poll earlier. The link is here: https://bitcointalk.org/index.php?topic=500157.0

Thanks for the link, seems as im not the only one that wants some shares.

[jtpeters]

One anonymous poster vouching for another?

"If he was a thief he could easily have..." could apply to anyone before they do something wrong. But anyway.

It's a good exchange, sure. And I hope that all is the way that is said. I'm just suggesting that we not automatically assume that everything anonymous people say on the internet is true, especially when it comes to money.

You can check the thread history for him on here asking for help on how to retrieve BTC from a customer's wallet however, that is very real.

Yes, that's very nice. There are plenty of posts from Mark Karpeles being helpful too. We don't have the whole story yet (even if the first post is 100% true) because it has not been provided to us.

[anonuser777]

Don't know if this has been posted before, but the poloniex hack gets a mention in the UK Guardian (after the flexcoin business):

http://www.theguardian.com/technology/2014/mar/04/bitcoin-bank-flexcoin-closes-after-hack-attack

All publicity is good publicity, right?

[maardein]

Busoni, a few ppl in the box made a poll earlier. The link is here: https://bitcointalk.org/index.php?topic=500157.0

Thanks for the link, seems as im not the only one that wants some shares.

Well, I voted for shares, but mainly because I think increasing fees is not the way to go. There are some options missing in that poll.

"it really wouldn't be fair to deduct deposits made after the BTC was taken."... why not?

Seems logical to me. The BTC was taken from the 'main pot', in which all the BTC from everyone was who had BTC on the exchange at that moment. Apparently people deposited to the pot after the BTC was stolen. Why would their BTC be reduced, even though nothing was taken from their BTC?

[Biomech]

I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

I got no dog in the fight, so I'm fairly dispassionate on this. I think you should have posted 3 and 4 as a single item, and that's the way I'm gonna vote. If you do it, I would not mind a chance at buying some of those shares.

I also recommend, as Warren had posted earlier, that you start putting some of your income into an insurance fund to cover such things if they happen again.

Your honesty in this has probably saved your business, but coming as it did on the heels of the Empty Gox debacle, you are probably going to feel some pain for some time to come. I would try to sell shares at a rate twice what you lost to raise reserves against any sort of disaster. And I would do it through a third party with multisig verification.