BTC Stolen from Poloniex

[wwdz99]

hi busoni,
i got a err msg 'COMPLETE: ERROR, NOT SENT',when i withdraw my xcp,and my xcp account balances lost too,so what is the problem? wait for your reply.thanks you

Withdrawal History (Last 25)

Currency   Amount   Address   Date   Status
XCP   48.3   1Cw83Jmn5oDTRUh9oTZdeSBu67NuG5i***   2014-03-05 00:58:07   COMPLETE: ERROR, NOT SENT

[XCP] Counterparty: 0.00000002
Deposit: 1Esd2tJaMWY6MpuB6WxtfrehaeihaDoeyE

[precrime3]

Markets unfrozen yet? What's the status of poleoniex?

[InsanityDev]

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

Are you kidding me? Did you do any research on past Bitcoin exchanges hacks before auditing your code?

That exact same "hack" has been done on multiple exchanges in the past.

Another guy who's created an exchange but yet somehow doesn't know what a database transaction is... unreal.

Indeed, so let's tell him and help him out. He does have the bit most of the other exchange owners were missing, a bit of decency and moral fibre..

Put another way, most people capable of making an exceptional exchange that's technically just right, have neither the will or inclination to run one long term, and the profits involved are too low to warrant doing it.

Probably why you and I both don't have our own exchanges, eh.

[remykwp]

Markets unfrozen yet? What's the status of poleoniex?

They took 12% of our bitcoin ($300) for me, and told us everything is alright now, so just continue on about our business.

[precrime3]

Idk if that was sarcatinc.... lol

[GreekBitcoin]

The guy might not have the best technical skills but he is transparent and doesnt look like he wants scam people. Of course noone knows but for now he could have taken everything but he didnt.

I received my Darkcoins so for me  everything is fine. Hope the best for you guys too.

[timmmers]

Markets unfrozen yet? What's the status of poleoniex?

They took 12% of our bitcoin ($300) for me, and told us everything is alright now, so just continue on about our business.

No, that's not what he said. He said he'd repay it. That makes it a loan.

All these people who never made a mistake and also never checked to see if these "obvious" flaws they now crow about existed might make that take a while though. As has already been mentioned, losing 12% is not unusual in trading, not to mention crypto trading, but spreading unfounded negativity to ensure you lose more is plain illogical. No good comes of that for anyone.

If you trust the admin, that's your decision. If you don't and get out, you've no dog in the fight so maybe leave it to those who have to win or lose based on their own gut feelings or research?

[SUNcoinDEVs]

luckily SUN is on LTC market so all our miners are good.

[Teque]

Today, about 12.3% of the BTC on Poloniex was stolen.

How Did It Happen?

The hacker found a vulnerability in the code that takes withdrawals. Here's what happens when you place a withdrawal:

1. Input validation.
2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.
4. The withdrawal is inserted into the database.
5. The confirmation email is sent.
6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

What Did Poloniex Do Wrong?

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.

Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.

What Did Poloniex Do Right?

The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.

What Happens Now?

I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.

The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this.

If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.

Right now, all markets and withdrawals are still frozen, and they will remain that way until the negative balance watcher is written and in place and balance deductions are calculated. Please do not bother placing withdrawals right now, as they will not be processed and will probably all be cancelled before functionality resumes. ETA on availability of withdrawals is approximately 12 hours. I am afraid it is 3 AM where I am right now, and I think it is wise for me to get some rest before proceeding.

What Will Be Done to Prevent Further Exploits?

One thing has already been done: the withdrawal daemon now checks for negative balances before processing withdrawals and will freeze any account with a negative balance. This effectively prevents the exploit from being used again, but it is only a hotfix.

The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance. After that, markets can be unfrozen and withdrawals resumed. Immediately following that, a daemon that will run automated audits on every account will be created, which will alert me of any strange activity and freeze any account with an overage of a balance.

After that, withdrawals and order creation will be switched to a queued method, where the first step will be to add the task to a global execution queue that will be processed sequentially.

-----

In conclusion...

I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.

I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.

This is the IP: 151.246.92.197 (Country: Zahedan, Iran) of your possible hacker...

[phil__65]

thx for starting the refund. i really thaught everything would be gone will continue trading now here (with a smaller budget though)

[coomme]

and then ,what can we do
yestoday, I withdraw my btc tolte 1, but its not transfer, and now ,my account is 0.87,
but I need withdraw to my wallet, now can I do withdraw ?
please master told me, tks

[remykwp]

Markets unfrozen yet? What's the status of poleoniex?

They took 12% of our bitcoin ($300) for me, and told us everything is alright now, so just continue on about our business.

No, that's not what he said. He said he'd repay it. That makes it a loan.

All these people who never made a mistake and also never checked to see if these "obvious" flaws they now crow about existed might make that take a while though. As has already been mentioned, losing 12% is not unusual in trading, not to mention crypto trading, but spreading unfounded negativity to ensure you lose more is plain illogical. No good comes of that for anyone.

If you trust the admin, that's your decision. If you don't and get out, you've no dog in the fight so maybe leave it to those who have to win or lose based on their own gut feelings or research?

Your retarded. Losing 12% is not unusual in trading does not justify shit. Taking peoples money is NOT ok. Poloniex took money from me, this is my dog in the fight. "so maybe leave it to those who have to win or lose based on their own gut feelings or research? " I dont even know what to say about this stupid shit.

[coomme]

I cant accept yours word

why

please look;

yestoday, I with draw my btc to my wallet

from Poloniex (do-not-reply@poloniex.com)
2014/3/4
to:co****@live.com
Poloniex 's image
A request to withdraw 1.00000001 BTC from your Poloniex account to address 1Q3szoF3KPhd9Wkftgk******** was just made. To confirm the withdrawal, please click the following link: https://www.poloniex.com/confirmWithdrawal.php?h=?a*********

you said Stolen happend today, right? but yestoday, about 22:00,its will confirmed about 30 mints right? but not !!

can your told us , why/

[coomme]

please master answer me , why my withdarw faild about 12 hours ago

[KEVINYU1972]

now the desposite or withdraw is OK

I desposite the USDE COIN about half an hour ago,

the COIN show not in, Pls check!

thanks!

[coomme]

that's all

my withdarw befor stolen about 12 hours ago , and now I lost 0.13btc,

can we accept it ??

[Masterkiss]

i lost 0.00268611 btc

[endlessskill]

I lost 0.8 BTC 

[maco]

I have never seen such a transparent post like this, ever, from any exchange. Unfortunately, this is a bad situation but OP seems to be honest.

This is a horrible trend that is going on with all exchange as we all know,
First mtgox, then Flexcoin, and now Poloniex, and countless others that I am sure are hiding in the dark about it.

What the heck was Flexcoin anyways? and why did they have so much damn BTC? I know it was an exchange, but I never heard of them until today,
only to find out they shut down their doors because a hacker stole 800+ BTC (I never knew flexcoin was open to begin with... hm?)

Seems to be a trend of exchanges getting attacked. Be safe with your investments, and don't leave money on exchanges
 aka online wallets) for too long or in large amounts. If you are done trading for that hour or day, cash out to be safe.

Good luck all and thanks busoni for being transparent.

Today, about 12.3% of the BTC on Poloniex was stolen.

How Did It Happen?

The hacker found a vulnerability in the code that takes withdrawals. Here's what happens when you place a withdrawal:

1. Input validation.
2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.
4. The withdrawal is inserted into the database.
5. The confirmation email is sent.
6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

What Did Poloniex Do Wrong?

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.

Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.

What Did Poloniex Do Right?

The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.

What Happens Now?

I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.

The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this.

If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.

Right now, all markets and withdrawals are still frozen, and they will remain that way until the negative balance watcher is written and in place and balance deductions are calculated. Please do not bother placing withdrawals right now, as they will not be processed and will probably all be cancelled before functionality resumes. ETA on availability of withdrawals is approximately 12 hours. I am afraid it is 3 AM where I am right now, and I think it is wise for me to get some rest before proceeding.

What Will Be Done to Prevent Further Exploits?

One thing has already been done: the withdrawal daemon now checks for negative balances before processing withdrawals and will freeze any account with a negative balance. This effectively prevents the exploit from being used again, but it is only a hotfix.

The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance. After that, markets can be unfrozen and withdrawals resumed. Immediately following that, a daemon that will run automated audits on every account will be created, which will alert me of any strange activity and freeze any account with an overage of a balance.

After that, withdrawals and order creation will be switched to a queued method, where the first step will be to add the task to a global execution queue that will be processed sequentially.

-----

In conclusion...

I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.

I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.

[Hash72]

Thanks for your honesty and transparency i am going to stay with you no problems...