SUNcoinDEVs
Member
 Offline
Activity: 84
Merit: 10
|
 |
March 05, 2014, 04:32:01 AM |
|
go for LTC markets guys.
|
|
|
|
|
PeterVenter
|
|
March 05, 2014, 04:35:14 AM |
|
THANKS FOR BEEN HONEST!
Could you post the bitcoin address of the guy who took the funds so we can trace the money, thanks.
|
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
March 05, 2014, 04:40:14 AM |
|
Surely, the rest of this thread isn't the same as the first 20 posts I've read, is it? I can't believe what I'm reading!
|
|
|
|
|
mystix
Member
Offline
Activity: 66
Merit: 10
|
|
March 05, 2014, 04:43:30 AM |
|
Good plan. Thank you for your honesty. Now follow through and make sure it gets done. There will always be naysayers, and the greedy that want to make sure and complain so they get paid even if no one else does. Stay strong in your plan, and pay out everyone, even when it takes longer. You'll gain far more positive reputation from the general population of users then you will lose it from the greedy.
..also be careful if you are tempted by the shares idea. Offering shares in a company can lead to intense scrutiny by regulators and tax authorities. ..even more then there already is for just exchanging money.
|
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
March 05, 2014, 04:44:36 AM |
|
Raising the fees to 1.5% would mean that the users would be paying for this mistake. It doesn't make sense - take 12% of balances and then get the users to pay for it with higher fees. If fees went up many would go elsewhere, leaving the rest of us to pay even more. The users should not pay for this.
Post #23 finally figures it out. Amazing! |
|
|
|
|
mystix
Member
Offline
Activity: 66
Merit: 10
|
|
March 05, 2014, 04:49:30 AM |
|
Yeah because all the other exchanges are running perfect code. If you're such the stud programmer and know all the trix offer to fix it for him, or PM him references to someone reputable that would do it for a modest fee. ..but no, both your answers have to be the most negative option possible. He has a plan for recovery, and to continue on. He should do just that. His honesty in the face of a big crime is refreshing in the age of implausible deniability. busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.
Please do the right thing and refund everyones outstanding balances, then wind up your operation.
I agree with Mike. Attempting to patch this issue with something called a "negative balance watcher" is a huge red flag. |
|
|
|
|
Biomech
Legendary
Offline
Activity: 1372
Merit: 1022
Anarchy is not chaos.
|
|
March 05, 2014, 04:51:47 AM |
|
Raising the fees to 1.5% would mean that the users would be paying for this mistake. It doesn't make sense - take 12% of balances and then get the users to pay for it with higher fees. If fees went up many would go elsewhere, leaving the rest of us to pay even more. The users should not pay for this.
Post #23 finally figures it out. Amazing! Panic post, I think. He eventually went with not raising fees, and had a poll about shares being given out. Not sure where that went, yet, or if it even has. |
|
|
|
|
mystix
Member
Offline
Activity: 66
Merit: 10
|
|
March 05, 2014, 04:56:54 AM |
|
Where do you think the money comes from here? Hes not spontaneously generating money that goes out to all of us. The users pay a fee for access to a system that we presumably like. If we want that system to continue operating, we will likely have to pay a greater fee for a short term. Dont shoot yourself in the foot just to unload your gun. The presumption should always be that you don't invest what you can't afford to lose. That way if things go horribly wrong, as in Mt Gox, you won't go to the poor house because of that risk. At the same time its ridiculous to assume that he would put himself in a worse position then that. The best he can be expected to do is chart a course where the site can continue to operate and avoid future errors to the extent possible. The most frequent option is to just give up and give people back a percentage, as suggested. Its the most frequent because its the easiest. ..it also is the least productive for everyone involved, leaving the only winner in this to be the hacker. ..thats what should not happen. Raising the fees to 1.5% would mean that the users would be paying for this mistake. It doesn't make sense - take 12% of balances and then get the users to pay for it with higher fees. If fees went up many would go elsewhere, leaving the rest of us to pay even more. The users should not pay for this.
|
|
|
|
|
busoni (OP)
Sr. Member
Offline
Activity: 364
Merit: 250
Owner of Poloniex
|
|
March 05, 2014, 05:18:51 AM |
|
I will begin searching for developers and security programmers tomorrow. In the meantime, the system that takes withdrawals has been redesigned--withdrawal requests are now added to a global command queue, and the queue is processed sequentially.
I've been working on various aspects of the exchange for twelve hours straight, and am a bit exhausted. I will send out an email to all users tomorrow and direct them here so they can give their input before a plan is officially laid out.
|
Poloniex.com - Fast crypto exchange with margin trading, advanced charts, and stop-limit orders
|
|
|
busoni (OP)
Sr. Member
Offline
Activity: 364
Merit: 250
Owner of Poloniex
|
|
March 05, 2014, 05:22:32 AM |
|
Oh, and I will also add an area on the Balances page that lets you know exactly how much BTC is currently withheld.
|
Poloniex.com - Fast crypto exchange with margin trading, advanced charts, and stop-limit orders
|
|
|
spiderdk
Member
Offline
Activity: 74
Merit: 10
|
|
March 05, 2014, 05:40:32 AM |
|
KDC wallet on Poloniex is broken, needs update.
I sent 2 orders and none of them arrived (26 hours ago and 2 hours ago).
Check KDC forum topic for news, its there. Update ASAP.
ty
|
|
|
|
|
MysticalPotato
Member
Offline
Activity: 91
Merit: 10
Stop the potato genocide!
|
|
March 05, 2014, 06:45:59 AM |
|
An opportunist just reared his/her ugly head at Poloniex's trollbox:  |
"Politeness induces morality. Serenity of manners requires serenity of mind.” - Julia Ward Howe
Signature space available for a worthy cause
|
|
|
|
coomme
|
|
March 05, 2014, 06:48:10 AM |
|
I will begin searching for developers and security programmers tomorrow. In the meantime, the system that takes withdrawals has been redesigned--withdrawal requests are now added to a global command queue, and the queue is processed sequentially.
I've been working on various aspects of the exchange for twelve hours straight, and am a bit exhausted. I will send out an email to all users tomorrow and direct them here so they can give their input before a plan is officially laid out.
hi, busoni I had withdraw all my coin to loacl wallet, we all support your plan From a security point of view, all the temporary extraction, if the security bulletin reconfirmed i ll come back but, where there is a doubt, I withdraw 1btc cash 12 hours ago, should one hour to confirm, and it will be transfered. but the results did not succeed , until you publish the message, I could found my btc account 13% less, please How to explain |
|
|
|
|
kneim
Legendary
Offline
Activity: 1666
Merit: 1000
|
|
March 05, 2014, 06:59:40 AM
Last edit: March 05, 2014, 07:18:26 AM by kneim |
|
The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.
Are you kidding me? Did you do any research on past Bitcoin exchanges hacks before auditing your code? That exact same "hack" has been done on multiple exchanges in the past. Another guy who's created an exchange but yet somehow doesn't know what a database transaction is... unreal. I wonder a little bit about programming skills. As a platform operator I would have a lot of fun detecting anomalies like that, block this customer, and make a very very precise verification of the identity. Perhaps the assets never would be withdrawn. |
|
|
|
Abar
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 05, 2014, 07:20:02 AM |
|
My BTC balance was reduced on 58% now by poloniex. Is it normal?
|
|
|
|
|
ChrisW
Newbie
Offline
Activity: 2
Merit: 0
|
|
March 05, 2014, 07:53:09 AM |
|
The thief's btc address is continuing the grow even though the website's withdraws and deposits have been FROZEN! https://blockchain.info/address/1Ktq7TE3J5vZ3c99M5weqKfFcNkHQdqPrqHow is this possible? The only person that has access to the websites withdraws/deposits during this time would be the site owner. The site is sending still sending btc to the address while you guys are supporting him. It looks like there certainly is a lot of BTC in this account and the thief, whoever, he is is still keeping funds there and using it. Something isn't right about that. If I owned Poloniex my first action would be to start contacting someone, PI, wallet or somone affiliated with the blockchain website to verify and freeze the wallet. Either the thief's got some balls, hes stupid or doesn't care or has no reason to do anything because its not even him or the Polo exchange owner isn't actively trying to obtain the stolen BTC and is concentrating more of his time on taking our funds rather than the thief's. I dont know whats going on and I think the Polo site owner seemed pretty honest about this; but, it seems like the only people that are going to have to pay for a mistake in his exchanges code and sites workability is us. Not to mention funds we have lost from the site being offline and missing out on some pretty amazing trades with CGY, AUR and MZC. I feel for the guy if this is all on the level; but, I am a business owner myself and I cannot think of a circumstance where if I made a mistake or if I missed something that cost me money where I would be able to have the customer assume the loss, even temporarily, and then say "if you want to continue to do business with me its going to cost you 7.5 times more. Ur a business owner bro, ur mistake cost is money, freezing our funds cost us money, now ur saying you dont have any money so we all have to pay more money. Its 50 grand, ur site does 850 in BTC per day, ur raising the fees 7x so it should all be paid back in a week. Seriously bro, man up and borrow a few bucks. Your in a big money business, if I can make 10K in 24 hrs, u should be able to triple it. Sorry bro; but seriously, U got leverage on us so u can do this; but, extorting that leverage is only going to hurt your businesses rep in the long run. Especially if it happens again and especially given that a lot of people in the crypto business just lost, in some cases, a fortune with Mt. GOX. Am I the only one that sees it this way? Everybody's acting like this is all good and no problem. This is a problem and the reasoning why the government is trashing crypto and likley going regulate it and at the same time ruining it by control. Seriously Cmon. |
|
|
|
|
BayAreaCoins
Legendary
Offline
Activity: 3990
Merit: 1250
Owner at AltQuick.com
|
|
March 05, 2014, 08:04:42 AM |
|
If I owned Poloniex my first action would be to start contacting someone, PI, wallet or somone affiliated with the blockchain website to verify and freeze the wallet. Either the thief's got some balls, hes stupid or doesn't care or has no reason to do anything because its not even him or the Polo exchange owner isn't actively trying to obtain the stolen BTC and is concentrating more of his time on taking our funds rather than the thief's.
No freezing accounts in Bitcoin land. Best chance is trying to chase down the funds @ www.Directory.io  let us know if you come up with anything! Edit: Unless the wallet the dude stole to is under control of Poloniex (like the donation scam in the troll box, rofl.) |
|
|
|
smoothie
Legendary
Offline
Activity: 2492
Merit: 1474
LEALANA Bitcoin Grim Reaper
|
|
March 05, 2014, 08:04:59 AM |
|
Today, about 12.3% of the BTC on Poloniex was stolen.
How Did It Happen?
The hacker found a vulnerability in the code that takes withdrawals. Here's what happens when you place a withdrawal:
1. Input validation.
2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.
4. The withdrawal is inserted into the database.
5. The confirmation email is sent.
6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.
The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.
What Did Poloniex Do Wrong?
The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.
Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.
What Did Poloniex Do Right?
The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.
What Happens Now?
I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.
The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this.
If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.
Right now, all markets and withdrawals are still frozen, and they will remain that way until the negative balance watcher is written and in place and balance deductions are calculated. Please do not bother placing withdrawals right now, as they will not be processed and will probably all be cancelled before functionality resumes. ETA on availability of withdrawals is approximately 12 hours. I am afraid it is 3 AM where I am right now, and I think it is wise for me to get some rest before proceeding.
What Will Be Done to Prevent Further Exploits?
One thing has already been done: the withdrawal daemon now checks for negative balances before processing withdrawals and will freeze any account with a negative balance. This effectively prevents the exploit from being used again, but it is only a hotfix.
The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance. After that, markets can be unfrozen and withdrawals resumed. Immediately following that, a daemon that will run automated audits on every account will be created, which will alert me of any strange activity and freeze any account with an overage of a balance.
After that, withdrawals and order creation will be switched to a queued method, where the first step will be to add the task to a global execution queue that will be processed sequentially.
-----
In conclusion...
I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.
I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.
Perhaps I missed it....how much BTC is 12.3% ? |
███████████████████████████████████████
,╓p@@███████@╗╖,
,p████████████████████N,
d█████████████████████████b
d██████████████████████████████æ
,████²█████████████████████████████,
,█████ ╙████████████████████╨ █████y
██████ `████████████████` ██████
║██████ Ñ███████████` ███████
███████ ╩██████Ñ ███████
███████ ▐▄ ²██╩ a▌ ███████
╢██████ ▐▓█▄ ▄█▓▌ ███████
██████ ▐▓▓▓▓▌, ▄█▓▓▓▌ ██████─
▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌
▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─
²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩
▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀
²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`
²²²
███████████████████████████████████████
| . ★☆ WWW.LEALANA.COM My PGP fingerprint is A764D833. History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
|
|
|
|
whoracle
Newbie
Offline
Activity: 18
Merit: 0
|
|
March 05, 2014, 09:15:37 AM |
|
have anyone withdrawal xcp`s ?
I receive this error:
COMPLETE: ERROR, NOT SENT
and moneys do not come back to my poloniex account nether
|
|
|
|
|
Biomech
Legendary
Offline
Activity: 1372
Merit: 1022
Anarchy is not chaos.
|
|
March 05, 2014, 09:17:38 AM |
|
Today, about 12.3% of the BTC on Poloniex was stolen.
How Did It Happen?
The hacker found a vulnerability in the code that takes withdrawals. Here's what happens when you place a withdrawal:
1. Input validation.
2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.
4. The withdrawal is inserted into the database.
5. The confirmation email is sent.
6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.
The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.
What Did Poloniex Do Wrong?
The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.
Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.
What Did Poloniex Do Right?
The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.
What Happens Now?
I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.
The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this.
If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.
Right now, all markets and withdrawals are still frozen, and they will remain that way until the negative balance watcher is written and in place and balance deductions are calculated. Please do not bother placing withdrawals right now, as they will not be processed and will probably all be cancelled before functionality resumes. ETA on availability of withdrawals is approximately 12 hours. I am afraid it is 3 AM where I am right now, and I think it is wise for me to get some rest before proceeding.
What Will Be Done to Prevent Further Exploits?
One thing has already been done: the withdrawal daemon now checks for negative balances before processing withdrawals and will freeze any account with a negative balance. This effectively prevents the exploit from being used again, but it is only a hotfix.
The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance. After that, markets can be unfrozen and withdrawals resumed. Immediately following that, a daemon that will run automated audits on every account will be created, which will alert me of any strange activity and freeze any account with an overage of a balance.
After that, withdrawals and order creation will be switched to a queued method, where the first step will be to add the task to a global execution queue that will be processed sequentially.
-----
In conclusion...
I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.
I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.
Perhaps I missed it....how much BTC is 12.3% ? According to an earlier post, approximately 50K usd. |
|
|
|
|
|
