BTC Stolen from Poloniex

[kache]

You guys are being twits.  This guy has been completely transparent and is clearly working hard to rectify the situation.  Would you rather his exchange shut down?  How about every exchange that has had problems?  Let's go back to the days of google docs and getting scammed most of the time.

Running a business is tough, shit doesn't always go perfectly.  What makes the difference is how the managers respond, and busoni's doing everything right.  Get a grip.

This is not a mature market, products are still in development, there's no big money backing these guys.  You want perfection, wait for apple to open an exchange.  By then you'll have missed the bus, but that's ok with me because without you on it bitching all the time it's a much quieter, relaxing ride.

You're a twit for assuming everyone on here is a guy.......perhaps in your fantasy land there are no females.

Who the fuck cares what's the sex of someone on the internet?

[1714260171]

1714260171

[1714260171]

1714260171

[1714260171]

1714260171

[jtpeters]

You guys are being twits.  This guy has been completely transparent and is clearly working hard to rectify the situation.  Would you rather his exchange shut down?  How about every exchange that has had problems?  Let's go back to the days of google docs and getting scammed most of the time.

Running a business is tough, shit doesn't always go perfectly.  What makes the difference is how the managers respond, and busoni's doing everything right.  Get a grip.

This is not a mature market, products are still in development, there's no big money backing these guys.  You want perfection, wait for apple to open an exchange.  By then you'll have missed the bus, but that's ok with me because without you on it bitching all the time it's a much quieter, relaxing ride.

You're a twit for assuming everyone on here is a guy.......perhaps in your fantasy land there are no females.

Do I get extra points for saying him/her above? jk

[chiznitz]

The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance

This isn't the right way to fix the problem.

What you need to do is to make sure that users aren't allowed to do two balance-affecting things at the same time.  Otherwise they'll just find another way to cheat you.

Make "check balance" and "reduce balance" atomic.

Checking for negative balances isn't the answer.  Suppose I have 30 BTC and try to very quickly withdraw 10 BTC twice.  Both "check balance" calls see I have 30 BTC, which is enough.  Both "reduce balance" calls set my balance to 20 BTC.  Then you send me two separate 10 BTC payments, my balance has never been negative, and I'm 10 BTC up on the deal.  You need to make sure that the "check balance" and "update balance" happen without anything else relating to that user happen between them.

This is a security issue that has been documented for weeks. OP just didn't keep up with security patches.

How is this a security vulnerability that has been known for weeks?  This seems more like a code issue and race conditions rather than something that has only been around for weeks.  The solution is to push all withdrawals to a pendingwithdrawals table that the engine then hits and deducts balance, this way even if the user tries to game the system and has say 5 withdrawals entered at the same time, those withdrawals are in a "pending" table, when the engine grabs them it then checks balances again sequentially on those rows and any withdrawal that the user does not have enough funds for is set to canceled.  This is the type of thing that should be done with ALL user input, orders, cancel orders, etc.

[InsanityDev]

guy

Tristan is a guy, he's male. This discussion is not constructive and adds noise to an important thread.

Please keep it on topic.

[jtpeters]

How is this a security vulnerability that has been known for weeks?  This seems more like a code issue and race conditions rather than something that has only been around for weeks.  The solution is to push all withdrawals to a pendingwithdrawals table that the engine then hits and deducts balance, this way even if the user tries to game the system and has say 5 withdrawals entered at the same time, those withdrawals are in a "pending" table, when the engine grabs them it then checks balances again sequentially on those rows and any withdrawal that the user does not have enough funds for is set to canceled.  This is the type of thing that should be done with ALL user input, orders, cancel orders, etc.

Someone detailed how it could be done on Reddit a few weeks ago, that's how. Bitcoin devs seem to know about it. It is up to exchanges if they want to fortify themselves against such attacks. Apparently, the OP missed the memo.

But I don't want to miss the forest for the trees.

[alioven]

I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

#3 and #4 add too much complexity and may become a source of problems in future.

Just deduct that 12% from the btc pot (excluding new deposits after trade got halted) and return it from fees over time. Add a small tax on withdrawals if you think it is needed. Add a small interest on the paybacks to balance the time needed to recover the full pot (I mean, people will get BTC back in, let's say, 1 or 2 months? Then give them a bit more than they lost, which will compensate also the rise on taxes, but sooner or later you will get it done)

Giving dividends is the same as giving BTC back, in the end, but dividends are slower and not good for you after the debt is payed. Just consider this: is it good to share future benefits with a lot of people once the theft is returned? That is what will happen if you open shares, and honestly, it will be much more clear for _everyone_ to get BTC returned hour by hour or day by day in a global payback.

[Biomech]

guy

Tristan is a guy, he's male. This discussion is not constructive and adds noise to an important thread.

Please keep it on topic.

noted. Will remove my post.

[jtpeters]

You guys and gals are hopeless. I'll check back on page 56 when communication from op has dropped to nil and you slowly forget about your lost funds. Then I'll link to my post on another exchange's forum when they, too, don't believe that the latest "hack" sounds like BS

[clintar]

Could we possibly donate toward the missing funds to get things back to normal faster with a benefit of portion of fees coming back to us for a bit?

[qiwoman]

I am sorry fo all the loss here and hope the exchange opens again for trading fast  and I will support Poloniex. I am not a big trader but I have coins in there I have been working hard to earn so really hope it opens soon.

[TingCoin]

I'm happy with the way this has been dealt with, respect for that. I'm still going to do all my trading at Polo, their security is only stronger as a result of this experience I guess.

[romerun]

The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance

facepalm. Php or the frontend interface only for receiving requests from users not executing them. When user makes order, the server replies, "yes we got it", and come up with a script on the backend to process user requests atomically -- trader order, deposit, withdraw... once it's done on the backend, send ajax / websocket responds back to the front end that it's done, etc, or have user refresh it manually if such lazy.

[jtpeters]

Will someone who is depositing money right now (because there's no VISIBLE NOTICE on the site regarding the situation) also have their BTC deducted?

If no, then what is the exact time you are using for the "cut off"? 1 hour after theft? 10 hours? This makes no sense, especially when it appears you are still taking deposits.

If yes, are you serious?

Site still has no notice about incident 12+ hours after incident occurred.
A small tweet box off to the side does not count. This is obviously VERY important.

Still taking deposits, with no notice on deposit page. Again, more than 12+ hours after the incident occurred.

Deposit coins = OK!
Withdraw coins = not okay

People that are depositing money now may still have 12% deducted from their account. Even thought the "theft" happened long before they deposited their coins.

Are you okay with all of the above? And you want to send op MORE BTC for shares???

I smell a rat.

[WaffleMaster]

It's all gone!

[shdwoflyte]

You guys and gals are hopeless. I'll check back on page 56 when communication from op has dropped to nil and you slowly forget about your lost funds. Then I'll link to my post on another exchange's forum when they, too, don't believe that the latest "hack" sounds like BS

Ok if you're all about thinking about this logically, then do so. Even if he's going to run away with the money (which I personally don't think he will actually), then he's already done it.

I say give him the chance to do right, instead of trying to spread panic. For what cause? Are you so desperate to tell someone I told you so? You're being childlike and stupid.

Yes please come back when there is a page 56. Or honestly, maybe not at all.

[cubicdissection]

You're a twit for assuming everyone on here is a guy.......perhaps in your fantasy land there are no females.

Get over yourself.  It's colloquial...

"The term guy is generally restricted to males, as in Was that a guy or a girl?, but the form you guys may be used for groups of any combination of genders whether it is all male, all female or any combination."

http://en.wiktionary.org/wiki/you_guys

[The One]

I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

#3 and #4 add too much complexity and may become a source of problems in future.

Just deduct that 12% from the btc pot (excluding new deposits after trade got halted) and return it from fees over time. Add a small tax on withdrawals if you think it is needed. Add a small interest on the paybacks to balance the time needed to recover the full pot (I mean, people will get BTC back in, let's say, 1 or 2 months? Then give them a bit more than they lost, which will compensate also the rise on taxes, but sooner or later you will get it done)

Giving dividends is the same as giving BTC back, in the end, but dividends are slower and not good for you after the debt is payed. Just consider this: is it good to share future benefits with a lot of people once the theft is returned? That is what will happen if you open shares, and honestly, it will be much more clear for _everyone_ to get BTC returned hour by hour or day by day in a global payback.

Fecking socialist want tax

[kashish948]

what happens to the btc which were in active orders?

[crazynoggin]

Personally, I think the owner of Poloniex did the right thing by saying what happened. We have to acknowledge that hackers and exploiters will steal funds time to time and when it does happen, its best to not to go the path of Mt. Gox. When someone does manage to steal funds, we as a community should get together and do our best to track exactly where the stolen money goes and hopefully the money eventually goes to some sort of money exchange service where we can alert the site. Instead of assuming the site owner or one of their employees are in on a conspiracy to steal your money every single time..

[kneim]

Will someone who is depositing money right now (because there's no VISIBLE NOTICE on the site regarding the situation) also have their BTC deducted?

If no, then what is the exact time you are using for the "cut off"? 1 hour after theft? 10 hours? This makes no sense, especially when it appears you are still taking deposits.

If yes, are you serious?

This is the problem of beeing transparent and honest. Mt.Gox had to deduct 100% many months ago, but they didn't tell us the truth.