BTC Stolen from Poloniex

[biodieselchris]

I traded my BTC down to 1 satoshi (for AuroraCoin!) so I guess you can't freeze 1/8th of that? 

So far I like, and very much so, the transparent way that the Poloniex founder is dealing with this issue. Hoping for more good things from this site. Everyone has growing pains. Learn from them.

[1714632898]

1714632898

[1714632898]

1714632898

[1714632898]

1714632898

[1714632898]

1714632898

[jtpeters]

Will someone who is depositing money right now (because there's no VISIBLE NOTICE on the site regarding the situation) also have their BTC deducted?

If no, then what is the exact time you are using for the "cut off"? 1 hour after theft? 10 hours? This makes no sense, especially when it appears you are still taking deposits.

If yes, are you serious?

[leopard2]

The transparency is excellent

The issue can be fixed via debt-to-equity swap (issueing shares)

The whole thing gives me the creeps because it is not clear which other marketplaces can have the exact same problem without us knowing. We need a marketplace that got actual real world deposit insurance and regular auditing by an external auditing firm.

Not regulation, but insurance and auditing is key.

[InsanityDev]

I traded my BTC down to 1 satoshi (for AuroraCoin!) so I guess you can't freeze 1/8th of that?  

So far I like, and very much so, the transparent way that the Poloniex founder is dealing with this issue. Hoping for more good things from this site. Everyone has growing pains. Learn from them.

Exactly, would rather support somebody transparent through this, than risk crypto at a new exchange where it could all be lost with no comeback or support.

The scum at coins-e who owe oh so much money could learn a lesson from this.

[jtpeters]

I traded my BTC down to 1 satoshi (for AuroraCoin!) so I guess you can't freeze 1/8th of that?  

So far I like, and very much so, the transparent way that the Poloniex founder is dealing with this issue. Hoping for more good things from this site. Everyone has growing pains. Learn from them.

The right time to hire a security programmer is when you 1) own an exchange; and 2) hear about security issues at the biggest exchange and hear the Bitcoin community talk about double-spending; and 3) hear about security issues at other exchanges

OP had a few weeks++ to lock the site down and make it secure. Hiring someone after these issues are resolved (what? 1 month? 2 months? and have more BTC stolen?) is not the way to go.

[jtpeters]

It's amazing that people are saying "Yes! We have all of the information we need about this incident. You've been transparent enough. Now let us send you more BTC for our shares!"

rather than, "We'd like more detailed information about this incident in order to make a more informed decision."

Amazing...

[The One]

I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

1. Correct. It's your company and you will benefit from this profit wise in the long run. No one should bail out your company as it smacks of socialism.
2. Introduce small withdrawal fee of .20%. Only sensible option available that can be done quickly and easily.
3. Too complicated unless you know what you are doing. Expensive and time consuming. Would require full information of the company Poloniex and all company accounts. Would require contracts, legally binding and in the UK where we have contract laws etc. I would not accept any other countries.
4. same as 3.
5. Ask for 'donations', whereas if someone were to donate BTC now, you will pay them back in 3 months plus 5% interest for 3 months loan. Hell lot better return than the fiat banks.

[DubFX]

Isn't sum from that account pointinb here? Whos address is this?
https://blockchain.info/address/1N2f642sbgCMbNtXFajz9XDACDFnFzdXzV

[awesomeperson451]

I just want to start out by saying, I really appreciate all the work that's been done so far to solve the issue and pay everyone back. I'll give the dev the benefit of the doubt and assume he's not out buying a new car or scheduling a vacation with all the BTC Polenex just lost.

Anyway, I know that withdrawals and trading are both frozen, but what about altcoin deposits? I deposited 4 CGA shortly after everything got frozen and before I found out about it. After 3 hours and 446 confirmations, the CGA I sent still hasn't shown up in my account. Now, I have enough in my personal wallet to be fine with waiting for a while, but I need to know if I'm gonna be able to get that back sometime in the future. It isn't just lost in the blockchain somewhere, right?

[dooglus]

The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance

This isn't the right way to fix the problem.

What you need to do is to make sure that users aren't allowed to do two balance-affecting things at the same time.  Otherwise they'll just find another way to cheat you.

Make "check balance" and "reduce balance" atomic.

Checking for negative balances isn't the answer.  Suppose I have 30 BTC and try to very quickly withdraw 10 BTC twice.  Both "check balance" calls see I have 30 BTC, which is enough.  Both "reduce balance" calls set my balance to 20 BTC.  Then you send me two separate 10 BTC payments, my balance has never been negative, and I'm 10 BTC up on the deal.  You need to make sure that the "check balance" and "update balance" happen without anything else relating to that user happen between them.

[jtpeters]

OP.. you said this just a couple of days ago:

"One more thing--about security. Very few Poloniex accounts have been hacked--less than five, I think--but I still think reminders like this don't hurt. ...
This is money we're talking about, which means people will always be trying to steal it. "

When someone asked you about security you avoided it https://bitcointalk.org/index.php?topic=420836.msg5471836#msg5471836

• There's nothing visible about security on your website or FAQ
• It does not appear that you have anyone to secure the website and will be looking to hire someone 'later'
• when asked about site security you appear to have avoided the question. Isn't this important to discuss?

Further, per your own Terms you are legally liable for the loss that has occurred. You have a very short Terms page. Big mistake. It says only, "You agree not to hold Poloniex liable for any loss of funds resulting from incorrect information provided by you. "

which means you are liable for other losses. Though you say, "These terms and conditions may be changed at any time without notice. By continuing to use the services provided by Poloniex.com, you agree to any and all such changes." it would not apply to previous agreements.

I'm guessing you were an easy target for hackers because you did not have much security. You did not therefore do your best to secure the deposits of clients. And you are liable for the loss.

I'm sure the good folks here would not think of suing you (and neither would I) but you may want to CYA.

[jtpeters]

The transparency is excellent

The issue can be fixed via debt-to-equity swap (issueing shares)

The whole thing gives me the creeps because it is not clear which other marketplaces can have the exact same problem without us knowing. We need a marketplace that got actual real world deposit insurance and regular auditing by an external auditing firm.

Not regulation, but insurance and auditing is key.

Pray tell, what was OP being transparent about? Exactly how much BTC was lost? (xxxxxx.xxxxxxxx) What the transaction IDs are? More useful information? etc

[solid12345]

I'm sure the good folks here would not think of suing you (and neither would I) but you may want to CYA.

Well let's be honest, you're not going to find a small claims lawyer who would even sue for .12 of a Bitcoin.

[SlidingHorn]

I'm sure the good folks here would not think of suing you (and neither would I) but you may want to CYA.

Well let's be honest, you're not going to find a small claims lawyer who would even sue for .12 of a Bitcoin.

Must not be in the US...no case is too petty for an attorney here

[jtpeters]

The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance

This isn't the right way to fix the problem.

What you need to do is to make sure that users aren't allowed to do two balance-affecting things at the same time.  Otherwise they'll just find another way to cheat you.

Make "check balance" and "reduce balance" atomic.

Checking for negative balances isn't the answer.  Suppose I have 30 BTC and try to very quickly withdraw 10 BTC twice.  Both "check balance" calls see I have 30 BTC, which is enough.  Both "reduce balance" calls set my balance to 20 BTC.  Then you send me two separate 10 BTC payments, my balance has never been negative, and I'm 10 BTC up on the deal.  You need to make sure that the "check balance" and "update balance" happen without anything else relating to that user happen between them.

This is a security issue that has been documented for weeks. OP just didn't keep up with security patches.

[cubicdissection]

You guys are being twits.  This guy has been completely transparent and is clearly working hard to rectify the situation.  Would you rather his exchange shut down?  How about every exchange that has had problems?  Let's go back to the days of google docs and getting scammed most of the time.

Running a business is tough, shit doesn't always go perfectly.  What makes the difference is how the managers respond, and busoni's doing everything right.  Get a grip.

This is not a mature market, products are still in development, there's no big money backing these guys.  You want perfection, wait for apple to open an exchange.  By then you'll have missed the bus, but that's ok with me because without you on it bitching all the time it's a much quieter, relaxing ride.

[jtpeters]

Sorry.. the more minutes that roll by and there's still NO VERY VISIBLE NOTICE ON THE WEBSITE the more this smells like a scam.

Observe: https://poloniex.com/balances

Depositing BTC or other coins? No problem!

OP has everyone's email address. Did you get an email letting you know that something happened? Probably not.

Same shit that Coinmarket did.

[The One]

You guys are being twits.  This guy has been completely transparent and is clearly working hard to rectify the situation.  Would you rather his exchange shut down?  How about every exchange that has had problems?  Let's go back to the days of google docs and getting scammed most of the time.

Running a business is tough, shit doesn't always go perfectly.  What makes the difference is how the managers respond, and busoni's doing everything right.  Get a grip.

This is not a mature market, products are still in development, there's no big money backing these guys.  You want perfection, wait for apple to open an exchange.  By then you'll have missed the bus, but that's ok with me because without you on it bitching all the time it's a much quieter, relaxing ride.

You're a twit for assuming everyone on here is a guy.......perhaps in your fantasy land there are no females.

[jparsley]

No info on the hacker?

[kimosan]

I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

Your openness and honesty in this situation is to be commended. There are a lot of exchanges who could learn the correct way to deal with a security breach by reading this thread.
Once you get all the security in place and the site is back to full operational I will continue to trade on your exchange.

Keep up the good work Tristan.