Bitcoin Forum
November 02, 2024, 07:29:38 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 »
  Print  
Author Topic: BTC Stolen from Poloniex  (Read 167456 times)
The One
Legendary
*
Offline Offline

Activity: 924
Merit: 1000



View Profile
March 05, 2014, 08:27:16 PM
 #461

My interest rate is .33% per day.
rot in hell

 Huh Huh Huh

Perhaps you do not understand basic natural human right, not man-made Mickey Mouse human rights, called 'voluntary contract'.
rot in hell

Fecking socialist. Grin Grin Grin

You should try to get whatever you can instead of crying like a idiot. You always know the risks with these new exchanges and you put your money in them.


So when someone robs your bank....do the bank deduct the losses from your bank account?

Do the bank say, "You should try to get whatever you can instead of crying like a idiot. You always know the risks with these banks and you put your money in them."

Please do think on a higher level of intellect like some humans are capable of.....but i know you are not.

..C..
.....................
........What is C?.........
..............
...........ICO            Dec 1st – Dec 30th............
       ............Open            Dec 1st- Dec 30th............
...................ANN thread      Bounty....................

The One
Legendary
*
Offline Offline

Activity: 924
Merit: 1000



View Profile
March 05, 2014, 08:28:42 PM
 #462

How does this ever get better?
Do you think they can recover fully and grow again?

It will survive. It's a good exchange site, let down by poor programming and theft by poor solutions to the recent hack.

..C..
.....................
........What is C?.........
..............
...........ICO            Dec 1st – Dec 30th............
       ............Open            Dec 1st- Dec 30th............
...................ANN thread      Bounty....................

porqupine
Full Member
***
Offline Offline

Activity: 214
Merit: 101


View Profile
March 05, 2014, 08:32:58 PM
 #463

It's not good news - unfortunately, but nevertheless
+1 for being more Transparent than Major Exchanges (Bitstamp, MT. Gox, BTC-E) 
GreekBitcoin
Legendary
*
Offline Offline

Activity: 1428
Merit: 1001


getmonero.org


View Profile WWW
March 05, 2014, 08:41:58 PM
 #464

How does this ever get better?
Do you think they can recover fully and grow again?

corect me if i am wrong but he could just pause trading for a day when he understood the theft stating that the website is undergoing some major upgrades. after all he said that poloniex was getting bigger and bigger every day...

then there would be no big withdrawal and i believe he could have earned the lost coins in a few weeks from the fees. And noone would ever notice.

Instead he choose to tell all what happened and he accepted that it is his fault and that he will pay back. +1 to him for that.

Now of course we have to wait and see if people really will get back their btc... but personally i thought i had lost all of my Darkcoins but i got them back just fine.

 
P.S. Of course using whichever centralized exchange has the same risks. I mean would anyone believe that MtGox will ever say that it lost 500m in bitcoins in the course of years and never realised that?
kneim
Legendary
*
Offline Offline

Activity: 1666
Merit: 1000


View Profile
March 05, 2014, 09:24:35 PM
 #465

Fecking socialist. Grin Grin Grin
Yes, I'm socialist, and your money will be mine, that's my basic natural human right.

Warren
Member
**
Offline Offline

Activity: 112
Merit: 10


View Profile
March 05, 2014, 09:31:40 PM
 #466

I am really unsettled by how the "temporary loan" was done.  I went to login to see the BTC balance down by a chunk and there is absolutely no record or email.  There is no accounting for the "loan" in any sort of format like all other accounting is done. I can see trades, open orders and withdrawals and deposits but there is no record of the amount of BTC withdrawn or its status.  Upon taking the money from user accounts there should have been a separate section added in the my balances page that showed the "loan" amount and its status as per readiness to be paid back.  So if, say, I lost a bitcoin, it would say in red something like "BTC poloniex loan: -1 btc / .12 BTC"  the "-1" being how much the site took and the ".12" is how much the site has to give back to us. Or if the balance is being added as the site makes up for it, the "BTC poloniex loan" section would have accounting for that.

In reference to the ^^^above^^^ Tristan (Busoni) already stated that he will implement this feature soon. See here: https://bitcointalk.org/index.php?topic=499580.msg5519238#msg5519238

Sorry bro; but seriously,  U got leverage on us so u can do this; but, extorting that leverage is only going to hurt your businesses rep in the long run.  Especially if it happens again and especially given that a lot of people in the crypto business just lost, in some cases, a fortune with Mt. GOX. 

Am I the only one that sees it this way?  Everybody's acting like this is all good and no problem.  This is a problem and the reasoning why the government is trashing crypto and likley going regulate it and at the same time ruining it by control.  Seriously Cmon.

You are not alone. Read my post 227.

Taking 12%+ is theft, pure and simple.

Yes absolutely, your BTC was stolen!

The moment you handed over your Bitcoin for someone else to control (Poloniex) you donated your Bitcoin to that person, (in return for an IOU note) so that you could trade with it, and then it was stolen from that person by a third party. Theft, pure and simple!

Now, what are you going to do about it? Whine about it, and say that you want interest from someone who can't (or won't) pay it?

My Proposal For Moving Poloniex Forward

Poloniex has now been hacked twice in a few weeks and significant amounts of BTC and XCP were stolen during these thefts. The first time it was only partly Tristan's fault since there was a major security hole in the Counterparty protocol allowing the theft to take place. Poloniex could have had security measures in place to have prevented it though, but didn't. Now it has happened again with BTC.

It is clear to me that Tristan (and/or the programmers he currently works with) does not have the programming/security knowledge required to operate an exchange without other competent coders/security experts to help him. I hope that he is able to see this, even if it hurts on a personal level to accept it. I have employed many programmers in the past and I have often found that they are overconfident in the work they deliver, until someone more competent points out the flaws...

Having said the above I also think that Tristan has shown great honesty and integrity during this incident, (and during the XCP incident), by holding up his hand and admitting that it was his mistake that led to the exchange being hacked. He has also been very pragmatic in the way he is dealing with the problems at hand and trying to find the best solution for moving forward.

In my personal opinion I value honesty and integrity higher than technical competence when dealing with companies in the Cryptocurrency business. You can hire technically competent people, but without honesty and integrity we are always screwed in the end anyway!

Since I believe that Tristan is honest and has integrity (and is pragmatic) I also believe that Poloniex could be become a huge success under his ownership, despite this unfortunate incident, but only if he deals with things the right way from here on.

From my personal experience and 25 years of business experience, if I was the owner of Poloniex this is what I would do now:

1. Post the stolen balance on each users account so they know what is owed to them. (He has already said he will do this, before it was even suggested)

2. Post a new document on the website detailing all events regarding the hacking of the site and the resulting theft.

I mean things like:

a) The exact time the attack happened.
b) The IP address of the hacker.
c) The exact amount of BTC stolen and the address it was sent to. I know this information is floating around, but I would like to see it posted on the site from Tristan himself.
d) Any other information pertinent to the attack and outlining his proposals for how he plans to deal with the situation.
e) Link this document from the home page so that all users understand what is going on and what is being proposed and/or done.
f) Keep this document updated with new information as it is decided, rather than relying on all his users to have to go through pages and pages with posts on an external forum...

3. Calculate exactly how much BTC he will need to do all of the following (and then add an extra 15% for safety):

a) Reimburse all the stolen BTC from his customers.

b) Hire 2-3 excellent programmers/security experts to help him do an extensive review of his code and operating procedures and come up with solutions to improve the security of the site. (I would suggest trying to get people like Mike Hearn: https://bitcointalk.org/index.php?action=profile;u%3D2700 involved). Judging from some of the comments in this thread it appears as if Poloniex is making some serious mistakes when it comes to security, even in regards to the patches that are currently being implemented.

c) Setup an initial "insurance fund" of let's say 100 BTC (to start with, this will grow, see below) that is kept in cold storage and requires multignatures to release any money from cold storage (Tristan and one more person out of two trusted individuals from the Bitcoin community).

d) Hire a security expert on an ongoing part time basis who will constantly monitor the site and look for any unusual behaviour, as well as keep himself informed of all other hacks and security breaches on other exchanges. This person will setup SMS and email alerts for him and Tristan to immeditaly get informed of anything suspect happening on the site, and constantly monitor and try to improve the security on the site so that Tristan can focus mainly on the building the business.

4. Once he has calculated the funds required to do all of the above, (which I am guessing could be in the 200-300 BTC range), calculate what would be a reasonable percentage of the exchange for Tristan to sell in an IPO, in order for investors to get a decent ROI on their investment.

I don't think this has to be overly generous in order to be successful, assuming that Tristan can show that he is willing to build this business into something big...

Here is a sample calculation of what I mean:

a) Let's say that the average daily turnover on the exchange is currently around 500 BTC and the fees are only bringing in 30 BTC per month. The IPO document may very well state that in order for them to get a good return the exchange has to grow to 2000 BTC turnover and 120 BTC monthly income.

Let's see how an IPO where 40% of the Poloniex is sold in order to raise 200 BTC could look, (assuming that investors believe the exchange can grow to 2000 BTC per month turnover, which I do):

Monthly income: 120 BTC
Monthly operational costs (with new security measures in place, Cloudflare, part time security expert, secure hosting etc.): 60 BTC/month
Monthly return to owners (including Tristan): 60 BTC, of which 40% or 24 BTC/month in this scenario goes to the investors as dividend.
Monthly dividend on a 1 BTC investment (assuming the site can grow to 2000 BTC/month turnover) would be: 0.12 BTC

It would take less than 9 months for an investor to get the entire investment back in the above scenario. If you also assume that Poloniex is still standing and successfully operating in 9 months the value of the shares might also have increased to 1,5 BTC (or more) by that time.

5. In regards to the "insurance fund" mentioned above I suggest that this is something volountary and only for those users who want to take part in it, since it is not a standard feature on any of the current Crypto exchanges as far as I know.

Each user of the site would have the possibility to opt-in to take part of insurance feature anytime they want to, but there would be certain conditions.

Your entire funds may not be insured for example. The total of the fund kept in cold storage will be shown on the "insurance page" and also the amount of BTC that is currently being insured with a percentage shown. So it may very well be that only 55% of your funds are currently insured, but at least then you know that even in a worst-case-scenario where Poloniex is hacked that is the maximum you could lose, quite different from MtGox for example...

There would be conditions imposed on the insured accounts and every insured user would have to follow certain security procedures in order to take part in the insurance scheme.

I mean things like the following:

a) Insured users would have to pay a 50%-100% premium on all trading fees, (0,3% instead of 0,2%).

b) Or perhaps an average of their BTC holdings would be calculated each night and a small percentage of that would be deducted as an insurance fee? This would help reduce the number of people who hold large balances on their accounts for long periods of time without trading it, which would also reduce liability for the site in case of an attack.

b) Every insured user would be required to use 2-factor authentication and a minimum 12 character password.

c) Perhaps insured users would be required to submit the IPs (or at least the IP ranges) that they wish to use to login to their accounts.

d) Whatever other security measures can be implemented to make it as secure as possible.

It is clear that after two successful attacks against Poloniex it will continue to be a prime target for hackers and thieves. Tristan needs to have security as the #1 concern for Poloniex from here on, because regardless of how honest he is and how much integrity he has Polniex may not survive another attack...user confidence will disappear eventually.  Sad

The fact that he has been transparent and forthcoming about the mistakes and what happened, as well as pragmatic in his way of solving it, tells me that there is a good chance this could turn into a great business, but only if he takes the right steps from here and puts security at the forefront of everything from here on...

Tristan, bring in the right people to help you secure the site. You have our confidence that you are honest and trustworthy. Now show that you are also capable of admitting your own weaknesses and bring in the right people to help you.

Just imagine how good we would feel if people like Mike Hearn who said this upthread:

Quote
busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.

Please do the right thing and refund everyones outstanding balances, then wind up your operation.

Imagine if he would come back after your have done the improvements to security and reviews the site and says something along the lines of:

Quote
"Yes, there have been some good improvements, and the site actually looks pretty secure now."


Mike is a security specialist at Google so obviously his demands for what is secure and what is not are going to be fairly high... These are the type of people you need to ask for help in securing Poloniex and making it into one of the top Cryptoexchanges.

I believe in you and I think you can do it!

Good luck! Smiley
epetroel
Sr. Member
****
Offline Offline

Activity: 431
Merit: 251


View Profile
March 05, 2014, 09:35:34 PM
 #467

busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.

Please do the right thing and refund everyones outstanding balances, then wind up your operation.

This was my thought too.  At the risk of simplifying things too much, a fix for this might be something like (pseudo-codey):

BEGIN TRANSACTION
INSERT INTO Ledger ...
UPDATE UserBalance SET balance = balance + @amt WHERE user_id = @id AND (balance + @amt) > 0
// if previous update didn't update any rows, rollback
INSERT INTO WithdrawalQueue ...
COMMIT

Bonus points if you digitally sign the records in the database with a private key known only to your application to help guard against direct database manipulation.

But as someone writing financial software, he should have known this already.  Of course it could just be an oversight on his part (everybody makes dumb mistakes sometimes), but if there are bugs like this, there are likely other data consistency bugs that can be exploited as well.
MinermanNC
Legendary
*
Offline Offline

Activity: 2198
Merit: 1000



View Profile
March 05, 2014, 10:02:02 PM
 #468

Wow Tristan! You made the front page headlines on Coindesk Smiley maybe not how you wanted it to be, but was well written in explaining your issue and your resolve. hang in there!

*BTC: 1DiR25SPo84sThzTATr27EZEQZLt6hv6tG
Bit_Happy
Legendary
*
Offline Offline

Activity: 2114
Merit: 1040


A Great Time to Start Something!


View Profile
March 05, 2014, 10:06:29 PM
 #469

Wow Tristan! You made the front page headlines on Coindesk Smiley maybe not how you wanted it to be, but was well written in explaining your issue and your resolve. hang in there!

Here is the link
http://www.coindesk.com/poloniex-loses-12-3-bitcoins-latest-bitcoin-exchange-hack/

MinermanNC
Legendary
*
Offline Offline

Activity: 2198
Merit: 1000



View Profile
March 05, 2014, 10:10:26 PM
 #470

busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.

Please do the right thing and refund everyones outstanding balances, then wind up your operation.
Oh my gosh, what a reaming from Mike Hearn of all people! Hmmm not sure what to think. I prefer to see the site stay up and moving forward. Perhaps Mike could help fix some of the bugs. lol,

Lets face it, if exchanges were an easy hurtle to create and run without issues, everyone including myself would be doing it. I know of 5 or so that have come and gone recently or are up for sale such as Crypto St. They had all the experts, but failed. ok, Not an easy task. Follow your instincts and heart Tristan.

*BTC: 1DiR25SPo84sThzTATr27EZEQZLt6hv6tG
MinermanNC
Legendary
*
Offline Offline

Activity: 2198
Merit: 1000



View Profile
March 05, 2014, 10:11:00 PM
 #471

Wow Tristan! You made the front page headlines on Coindesk Smiley maybe not how you wanted it to be, but was well written in explaining your issue and your resolve. hang in there!

Here is the link
http://www.coindesk.com/poloniex-loses-12-3-bitcoins-latest-bitcoin-exchange-hack/
oops Thanks! Smiley

*BTC: 1DiR25SPo84sThzTATr27EZEQZLt6hv6tG
so142001
Member
**
Offline Offline

Activity: 114
Merit: 11


View Profile
March 05, 2014, 10:11:42 PM
 #472

Today, about 12.3% of the BTC on Poloniex was stolen.

How Did It Happen?

The hacker found a vulnerability in the code that takes withdrawals. Here's what happens when you place a withdrawal:

1. Input validation.
2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.
4. The withdrawal is inserted into the database.
5. The confirmation email is sent.
6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

What Did Poloniex Do Wrong?

The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.

Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.

What Did Poloniex Do Right?

The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.

What Happens Now?

I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.

The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this.

If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.

Right now, all markets and withdrawals are still frozen, and they will remain that way until the negative balance watcher is written and in place and balance deductions are calculated. Please do not bother placing withdrawals right now, as they will not be processed and will probably all be cancelled before functionality resumes. ETA on availability of withdrawals is approximately 12 hours. I am afraid it is 3 AM where I am right now, and I think it is wise for me to get some rest before proceeding.

What Will Be Done to Prevent Further Exploits?

One thing has already been done: the withdrawal daemon now checks for negative balances before processing withdrawals and will freeze any account with a negative balance. This effectively prevents the exploit from being used again, but it is only a hotfix.

The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance. After that, markets can be unfrozen and withdrawals resumed. Immediately following that, a daemon that will run automated audits on every account will be created, which will alert me of any strange activity and freeze any account with an overage of a balance.

After that, withdrawals and order creation will be switched to a queued method, where the first step will be to add the task to a global execution queue that will be processed sequentially.

-----

In conclusion...

I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.

I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.

You should post a Donation wallet address for Poloneix recovery on your original post. I'm sure there are plenty of like-minded people out there willing to help so you don't have to take on the full burden of recovery yourself. Just a thought.

luigi1111
Legendary
*
Offline Offline

Activity: 1105
Merit: 1000



View Profile
March 05, 2014, 10:15:31 PM
 #473

My interest rate is .33% per day.
rot in hell

 Huh Huh Huh

Perhaps you do not understand basic natural human right, not man-made Mickey Mouse human rights, called 'voluntary contract'.
rot in hell

Fecking socialist. Grin Grin Grin

You should try to get whatever you can instead of crying like a idiot. You always know the risks with these new exchanges and you put your money in them.


So when someone robs your bank....do the bank deduct the losses from your bank account?

Do the bank say, "You should try to get whatever you can instead of crying like a idiot. You always know the risks with these banks and you put your money in them."

Please do think on a higher level of intellect like some humans are capable of.....but i know you are not.


Why do you come off as so ignorant?
MinermanNC
Legendary
*
Offline Offline

Activity: 2198
Merit: 1000



View Profile
March 05, 2014, 10:19:42 PM
 #474

I am really unsettled by how the "temporary loan" was done.  I went to login to see the BTC balance down by a chunk and there is absolutely no record or email.  There is no accounting for the "loan" in any sort of format like all other accounting is done. I can see trades, open orders and withdrawals and deposits but there is no record of the amount of BTC withdrawn or its status.  Upon taking the money from user accounts there should have been a separate section added in the my balances page that showed the "loan" amount and its status as per readiness to be paid back.  So if, say, I lost a bitcoin, it would say in red something like "BTC poloniex loan: -1 btc / .12 BTC"  the "-1" being how much the site took and the ".12" is how much the site has to give back to us. Or if the balance is being added as the site makes up for it, the "BTC poloniex loan" section would have accounting for that.

In reference to the ^^^above^^^ Tristan (Busoni) already stated that he will implement this feature soon. See here: https://bitcointalk.org/index.php?topic=499580.msg5519238#msg5519238

Sorry bro; but seriously,  U got leverage on us so u can do this; but, extorting that leverage is only going to hurt your businesses rep in the long run.  Especially if it happens again and especially given that a lot of people in the crypto business just lost, in some cases, a fortune with Mt. GOX. 

Am I the only one that sees it this way?  Everybody's acting like this is all good and no problem.  This is a problem and the reasoning why the government is trashing crypto and likley going regulate it and at the same time ruining it by control.  Seriously Cmon.

You are not alone. Read my post 227.

Taking 12%+ is theft, pure and simple.

Yes absolutely, your BTC was stolen!

The moment you handed over your Bitcoin for someone else to control (Poloniex) you donated your Bitcoin to that person, (in return for an IOU note) so that you could trade with it, and then it was stolen from that person by a third party. Theft, pure and simple!

Now, what are you going to do about it? Whine about it, and say that you want interest from someone who can't (or won't) pay it?

My Proposal For Moving Poloniex Forward

Poloniex has now been hacked twice in a few weeks and significant amounts of BTC and XCP were stolen during these thefts. The first time it was only partly Tristan's fault since there was a major security hole in the Counterparty protocol allowing the theft to take place. Poloniex could have had security measures in place to have prevented it though, but didn't. Now it has happened again with BTC.

It is clear to me that Tristan (and/or the programmers he currently works with) does not have the programming/security knowledge required to operate an exchange without other competent coders/security experts to help him. I hope that he is able to see this, even if it hurts on a personal level to accept it. I have employed many programmers in the past and I have often found that they are overconfident in the work they deliver, until someone more competent points out the flaws...

Having said the above I also think that Tristan has shown great honesty and integrity during this incident, (and during the XCP incident), by holding up his hand and admitting that it was his mistake that led to the exchange being hacked. He has also been very pragmatic in the way he is dealing with the problems at hand and trying to find the best solution for moving forward.

In my personal opinion I value honesty and integrity higher than technical competence when dealing with companies in the Cryptocurrency business. You can hire technically competent people, but without honesty and integrity we are always screwed in the end anyway!

Since I believe that Tristan is honest and has integrity (and is pragmatic) I also believe that Poloniex could be become a huge success under his ownership, despite this unfortunate incident, but only if he deals with things the right way from here on.

From my personal experience and 25 years of business experience, if I was the owner of Poloniex this is what I would do now:

1. Post the stolen balance on each users account so they know what is owed to them. (He has already said he will do this, before it was even suggested)

2. Post a new document on the website detailing all events regarding the hacking of the site and the resulting theft.

I mean things like:

a) The exact time the attack happened.
b) The IP address of the hacker.
c) The exact amount of BTC stolen and the address it was sent to. I know this information is floating around, but I would like to see it posted on the site from Tristan himself.
d) Any other information pertinent to the attack and outlining his proposals for how he plans to deal with the situation.
e) Link this document from the home page so that all users understand what is going on and what is being proposed and/or done.
f) Keep this document updated with new information as it is decided, rather than relying on all his users to have to go through pages and pages with posts on an external forum...

3. Calculate exactly how much BTC he will need to do all of the following (and then add an extra 15% for safety):

a) Reimburse all the stolen BTC from his customers.

b) Hire 2-3 excellent programmers/security experts to help him do an extensive review of his code and operating procedures and come up with solutions to improve the security of the site. (I would suggest trying to get people like Mike Hearn: https://bitcointalk.org/index.php?action=profile;u%3D2700 involved). Judging from some of the comments in this thread it appears as if Poloniex is making some serious mistakes when it comes to security, even in regards to the patches that are currently being implemented.

c) Setup an initial "insurance fund" of let's say 100 BTC (to start with, this will grow, see below) that is kept in cold storage and requires multignatures to release any money from cold storage (Tristan and one more person out of two trusted individuals from the Bitcoin community).

d) Hire a security expert on an ongoing part time basis who will constantly monitor the site and look for any unusual behaviour, as well as keep himself informed of all other hacks and security breaches on other exchanges. This person will setup SMS and email alerts for him and Tristan to immeditaly get informed of anything suspect happening on the site, and constantly monitor and try to improve the security on the site so that Tristan can focus mainly on the building the business.

4. Once he has calculated the funds required to do all of the above, (which I am guessing could be in the 200-300 BTC range), calculate what would be a reasonable percentage of the exchange for Tristan to sell in an IPO, in order for investors to get a decent ROI on their investment.

I don't think this has to be overly generous in order to be successful, assuming that Tristan can show that he is willing to build this business into something big...

Here is a sample calculation of what I mean:

a) Let's say that the average daily turnover on the exchange is currently around 500 BTC and the fees are only bringing in 30 BTC per month. The IPO document may very well state that in order for them to get a good return the exchange has to grow to 2000 BTC turnover and 120 BTC monthly income.

Let's see how an IPO where 40% of the Poloniex is sold in order to raise 200 BTC could look, (assuming that investors believe the exchange can grow to 2000 BTC per month turnover, which I do):

Monthly income: 120 BTC
Monthly operational costs (with new security measures in place, Cloudflare, part time security expert, secure hosting etc.): 60 BTC/month
Monthly return to owners (including Tristan): 60 BTC, of which 40% or 24 BTC/month in this scenario goes to the investors as dividend.
Monthly dividend on a 1 BTC investment (assuming the site can grow to 2000 BTC/month turnover) would be: 0.12 BTC

It would take less than 9 months for an investor to get the entire investment back in the above scenario. If you also assume that Poloniex is still standing and successfully operating in 9 months the value of the shares might also have increased to 1,5 BTC (or more) by that time.

5. In regards to the "insurance fund" mentioned above I suggest that this is something volountary and only for those users who want to take part in it, since it is not a standard feature on any of the current Crypto exchanges as far as I know.

Each user of the site would have the possibility to opt-in to take part of insurance feature anytime they want to, but there would be certain conditions.

Your entire funds may not be insured for example. The total of the fund kept in cold storage will be shown on the "insurance page" and also the amount of BTC that is currently being insured with a percentage shown. So it may very well be that only 55% of your funds are currently insured, but at least then you know that even in a worst-case-scenario where Poloniex is hacked that is the maximum you could lose, quite different from MtGox for example...

There would be conditions imposed on the insured accounts and every insured user would have to follow certain security procedures in order to take part in the insurance scheme.

I mean things like the following:

a) Insured users would have to pay a 50%-100% premium on all trading fees, (0,3% instead of 0,2%).

b) Or perhaps an average of their BTC holdings would be calculated each night and a small percentage of that would be deducted as an insurance fee? This would help reduce the number of people who hold large balances on their accounts for long periods of time without trading it, which would also reduce liability for the site in case of an attack.

b) Every insured user would be required to use 2-factor authentication and a minimum 12 character password.

c) Perhaps insured users would be required to submit the IPs (or at least the IP ranges) that they wish to use to login to their accounts.

d) Whatever other security measures can be implemented to make it as secure as possible.

It is clear that after two successful attacks against Poloniex it will continue to be a prime target for hackers and thieves. Tristan needs to have security as the #1 concern for Poloniex from here on, because regardless of how honest he is and how much integrity he has Polniex may not survive another attack...user confidence will disappear eventually.  Sad

The fact that he has been transparent and forthcoming about the mistakes and what happened, as well as pragmatic in his way of solving it, tells me that there is a good chance this could turn into a great business, but only if he takes the right steps from here and puts security at the forefront of everything from here on...

Tristan, bring in the right people to help you secure the site. You have our confidence that you are honest and trustworthy. Now show that you are also capable of admitting your own weaknesses and bring in the right people to help you.

Just imagine how good we would feel if people like Mike Hearn who said this upthread:

Quote
busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.

Please do the right thing and refund everyones outstanding balances, then wind up your operation.

Imagine if he would come back after your have done the improvements to security and reviews the site and says something along the lines of:

Quote
"Yes, there have been some good improvements, and the site actually looks pretty secure now."


Mike is a security specialist at Google so obviously his demands for what is secure and what is not are going to be fairly high... These are the type of people you need to ask for help in securing Poloniex and making it into one of the top Cryptoexchanges.

I believe in you and I think you can do it!

Good luck! Smiley

Warren, this is very good advice to Tristan. Its easy to see that you are sincere. I, like you and others, want to see him get through this. Very well written and obviously it took you some time and thought to write Smiley

*BTC: 1DiR25SPo84sThzTATr27EZEQZLt6hv6tG
MinermanNC
Legendary
*
Offline Offline

Activity: 2198
Merit: 1000



View Profile
March 05, 2014, 10:23:14 PM
 #475

You should post a Donation wallet address for Poloneix recovery on your original post. I'm sure there are plenty of like-minded people out there willing to help so you don't have to take on the full burden of recovery yourself. Just a thought.
_______________________________________________________________________________ ________________________________

Yes I had made mention of a donation fund to help yesterday, I thought it would work. Just be transparent with all donators. But please be sure the bugs a security holes are fixed first  Wink


*BTC: 1DiR25SPo84sThzTATr27EZEQZLt6hv6tG
mechanikalk
Member
**
Offline Offline

Activity: 99
Merit: 91


View Profile WWW
March 05, 2014, 10:25:56 PM
 #476

Does this also apply to non-BTC balances?
tfeagle
Jr. Member
*
Offline Offline

Activity: 49
Merit: 1


View Profile
March 05, 2014, 10:36:39 PM
 #477

At the risk of being flamed into molecular ashes...

I think you are doing the right thing.  Good on you.  Couple of questions...

Are you planning to keep the exchange open just long enough to pay everyone back?  Or do you plan to continue the business indefinitely?  If the latter, do you plan for the exchange to stay within its existing niche?  Or for it to grow/evolve into something larger? 

I do think you need to retain some seriously competent human resources to upgrade your overall security, outward-facing interface(s), internal accounting & processing, etc, etc. 

I do not currently have an account with your...virtual currency entity.  VCE?  But I'm willing to open an account (and move my BtC and U$D into it) if two conditions are met.  (1) Tighten-up your security and verification.  A lot.  (2) Save all the transaction data, for clients who are paying the higher fees & commissions.  After the stolen currency/funds are paid off, offer us the occasional frequent "free trade" or "half rate commission" until the higher fees & commissions are balanced out. 

It should go without saying, that any sort of professional & impersonal facade...of the nature MTGOX likes (liked?) to present to clients & customers...would need to go away forever.  If you want the community to help you through this hiccup, then it's only fair to offer some sort of reward to the folks who stick by you. 

I don't know much about the personality/character of your operation.  Never had an account there.  It may be that you already have "operators standing by" who know many of your customers by name. 

The One
Legendary
*
Offline Offline

Activity: 924
Merit: 1000



View Profile
March 05, 2014, 11:19:54 PM
 #478

At the risk of being flamed into molecular ashes...

I think you are doing the right thing.  Good on you.  Couple of questions...

Are you planning to keep the exchange open just long enough to pay everyone back?  Or do you plan to continue the business indefinitely?  If the latter, do you plan for the exchange to stay within its existing niche?  Or for it to grow/evolve into something larger? 

I do think you need to retain some seriously competent human resources to upgrade your overall security, outward-facing interface(s), internal accounting & processing, etc, etc. 

I do not currently have an account with your...virtual currency entity.  VCE?  But I'm willing to open an account (and move my BtC and U$D into it) if two conditions are met.  (1) Tighten-up your security and verification.  A lot.  (2) Save all the transaction data, for clients who are paying the higher fees & commissions.  After the stolen currency/funds are paid off, offer us the occasional frequent "free trade" or "half rate commission" until the higher fees & commissions are balanced out. 

It should go without saying, that any sort of professional & impersonal facade...of the nature MTGOX likes (liked?) to present to clients & customers...would need to go away forever.  If you want the community to help you through this hiccup, then it's only fair to offer some sort of reward to the folks who stick by you. 

I don't know much about the personality/character of your operation.  Never had an account there.  It may be that you already have "operators standing by" who know many of your customers by name. 



I think you are doing the right thing.  Good on you.

blah

blah

blah

blah

I do not currently have an account with your...virtual currency entity.  VCE?  But I'm willing to open an account


WHAT!!!


You do not even have an account, so you can not make any judgements, especially compliments.



..C..
.....................
........What is C?.........
..............
...........ICO            Dec 1st – Dec 30th............
       ............Open            Dec 1st- Dec 30th............
...................ANN thread      Bounty....................

luigi1111
Legendary
*
Offline Offline

Activity: 1105
Merit: 1000



View Profile
March 05, 2014, 11:25:21 PM
 #479

At the risk of being flamed into molecular ashes...

I think you are doing the right thing.  Good on you.  Couple of questions...

Are you planning to keep the exchange open just long enough to pay everyone back?  Or do you plan to continue the business indefinitely?  If the latter, do you plan for the exchange to stay within its existing niche?  Or for it to grow/evolve into something larger? 

I do think you need to retain some seriously competent human resources to upgrade your overall security, outward-facing interface(s), internal accounting & processing, etc, etc. 

I do not currently have an account with your...virtual currency entity.  VCE?  But I'm willing to open an account (and move my BtC and U$D into it) if two conditions are met.  (1) Tighten-up your security and verification.  A lot.  (2) Save all the transaction data, for clients who are paying the higher fees & commissions.  After the stolen currency/funds are paid off, offer us the occasional frequent "free trade" or "half rate commission" until the higher fees & commissions are balanced out. 

It should go without saying, that any sort of professional & impersonal facade...of the nature MTGOX likes (liked?) to present to clients & customers...would need to go away forever.  If you want the community to help you through this hiccup, then it's only fair to offer some sort of reward to the folks who stick by you. 

I don't know much about the personality/character of your operation.  Never had an account there.  It may be that you already have "operators standing by" who know many of your customers by name. 



I think you are doing the right thing.  Good on you.

blah

blah

blah

blah

I do not currently have an account with your...virtual currency entity.  VCE?  But I'm willing to open an account


WHAT!!!


You do not even have an account, so you can not make any judgements, especially compliments.




Funny thing is, he actually can. It's called freedom of speech, and I for one believe that to be a basic human right.
The One
Legendary
*
Offline Offline

Activity: 924
Merit: 1000



View Profile
March 05, 2014, 11:46:01 PM
 #480

At the risk of being flamed into molecular ashes...

I think you are doing the right thing.  Good on you.  Couple of questions...

Are you planning to keep the exchange open just long enough to pay everyone back?  Or do you plan to continue the business indefinitely?  If the latter, do you plan for the exchange to stay within its existing niche?  Or for it to grow/evolve into something larger? 

I do think you need to retain some seriously competent human resources to upgrade your overall security, outward-facing interface(s), internal accounting & processing, etc, etc. 

I do not currently have an account with your...virtual currency entity.  VCE?  But I'm willing to open an account (and move my BtC and U$D into it) if two conditions are met.  (1) Tighten-up your security and verification.  A lot.  (2) Save all the transaction data, for clients who are paying the higher fees & commissions.  After the stolen currency/funds are paid off, offer us the occasional frequent "free trade" or "half rate commission" until the higher fees & commissions are balanced out. 

It should go without saying, that any sort of professional & impersonal facade...of the nature MTGOX likes (liked?) to present to clients & customers...would need to go away forever.  If you want the community to help you through this hiccup, then it's only fair to offer some sort of reward to the folks who stick by you. 

I don't know much about the personality/character of your operation.  Never had an account there.  It may be that you already have "operators standing by" who know many of your customers by name. 



I think you are doing the right thing.  Good on you.

blah

blah

blah

blah

I do not currently have an account with your...virtual currency entity.  VCE?  But I'm willing to open an account


WHAT!!!


You do not even have an account, so you can not make any judgements, especially compliments.




Funny thing is, he actually can. It's called freedom of speech, and I for one believe that to be a basic human right.

Nothing to do with freedom of speech............but bias. Only those who were affected by the theft can comment, others not affected can advice but not make compliments.

Freedom of speech isn't an excuse to make oneself look stupid.

..C..
.....................
........What is C?.........
..............
...........ICO            Dec 1st – Dec 30th............
       ............Open            Dec 1st- Dec 30th............
...................ANN thread      Bounty....................

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!