I am really unsettled by how the "temporary loan" was done. I went to login to see the BTC balance down by a chunk and there is absolutely no record or email. There is no accounting for the "loan" in any sort of format like all other accounting is done. I can see trades, open orders and withdrawals and deposits but there is no record of the amount of BTC withdrawn or its status. Upon taking the money from user accounts there should have been a separate section added in the my balances page that showed the "loan" amount and its status as per readiness to be paid back. So if, say, I lost a bitcoin, it would say in red something like "BTC poloniex loan: -1 btc / .12 BTC" the "-1" being how much the site took and the ".12" is how much the site has to give back to us. Or if the balance is being added as the site makes up for it, the "BTC poloniex loan" section would have accounting for that.
In reference to the ^^^above^^^ Tristan (Busoni) already stated that he will implement this feature soon. See here:
https://bitcointalk.org/index.php?topic=499580.msg5519238#msg5519238 Sorry bro; but seriously, U got leverage on us so u can do this; but, extorting that leverage is only going to hurt your businesses rep in the long run. Especially if it happens again and especially given that a lot of people in the crypto business just lost, in some cases, a fortune with Mt. GOX.
Am I the only one that sees it this way? Everybody's acting like this is all good and no problem. This is a problem and the reasoning why the government is trashing crypto and likley going regulate it and at the same time ruining it by control. Seriously Cmon.
You are not alone. Read my post 227.
Taking 12%+ is theft, pure and simple.
Yes absolutely, your BTC was stolen!
The moment you handed over your Bitcoin for someone else to control (Poloniex)
you donated your Bitcoin to that person, (in return for an IOU note) so that you could trade with it, and then it was stolen from that person by a third party. Theft, pure and simple!
Now, what are you going to do about it? Whine about it, and say that you want interest from someone who can't (or won't) pay it?
My Proposal For Moving Poloniex ForwardPoloniex has now been hacked twice in a few weeks and significant amounts of BTC and XCP were stolen during these thefts. The first time it was only partly Tristan's fault since there was a major security hole in the Counterparty protocol allowing the theft to take place. Poloniex could have had security measures in place to have prevented it though, but didn't. Now it has happened again with BTC.
It is clear to me that Tristan (and/or the programmers he currently works with) does not have the programming/security knowledge required to operate an exchange without other competent coders/security experts to help him. I hope that he is able to see this, even if it hurts on a personal level to accept it. I have employed many programmers in the past and I have often found that they are overconfident in the work they deliver, until someone more competent points out the flaws...
Having said the above I also think that Tristan has shown great honesty and integrity during this incident, (and during the XCP incident), by holding up his hand and admitting that it was his mistake that led to the exchange being hacked. He has also been very pragmatic in the way he is dealing with the problems at hand and trying to find the best solution for moving forward.
In my personal opinion
I value honesty and integrity higher than technical competence when dealing with companies in the Cryptocurrency business. You can hire technically competent people, but without honesty and integrity we are always screwed in the end anyway!
Since I believe that Tristan is honest and has integrity (and is pragmatic) I also believe that Poloniex could be become a huge success under his ownership, despite this unfortunate incident,
but only if he deals with things the right way from here on.From my personal experience and 25 years of business experience,
if I was the owner of Poloniex this is what I would do now:1. Post the stolen balance on each users account so they know what is owed to them. (He has already said he will do this, before it was even suggested)
2. Post a new document on the website detailing all events regarding the hacking of the site and the resulting theft.
I mean things like:
a) The exact time the attack happened.
b) The IP address of the hacker.
c) The exact amount of BTC stolen and the address it was sent to. I know this information is floating around, but I would like to see it posted on the site from Tristan himself.
d) Any other information pertinent to the attack and outlining his proposals for how he plans to deal with the situation.
e) Link this document from the home page so that all users understand what is going on and what is being proposed and/or done.
f) Keep this document updated with new information as it is decided, rather than relying on all his users to have to go through pages and pages with posts on an external forum...
3. Calculate exactly how much BTC he will need to do all of the following (and then add an extra 15% for safety):a) Reimburse all the stolen BTC from his customers. b) Hire 2-3 excellent programmers/security experts to help him do an extensive review of his code and operating procedures and come up with solutions to improve the security of the site. (I would suggest trying to get people like Mike Hearn:
https://bitcointalk.org/index.php?action=profile;u%3D2700 involved). Judging from some of the comments in this thread it appears as if Poloniex is making some serious mistakes when it comes to security, even in regards to the patches that are currently being implemented.
c) Setup an initial "
insurance fund" of let's say 100 BTC (to start with, this will grow, see below) that is kept in cold storage and requires multignatures to release any money from cold storage (Tristan and one more person out of two trusted individuals from the Bitcoin community).
d) Hire a security expert on an ongoing part time basis who will constantly monitor the site and look for any unusual behaviour, as well as keep himself informed of all other hacks and security breaches on other exchanges. This person will setup SMS and email alerts for him and Tristan to immeditaly get informed of anything suspect happening on the site, and constantly monitor and try to improve the security on the site so that Tristan can focus mainly on the building the business.
4. Once he has calculated the funds required to do all of the above, (which I am guessing could be in the 200-300 BTC range), calculate what would be a reasonable percentage of the exchange for Tristan to sell in an IPO, in order for investors to get a decent ROI on their investment.
I don't think this has to be overly generous in order to be successful, assuming that Tristan can show that he is willing to build this business into something big...
Here is a sample calculation of what I mean:a) Let's say that the average daily turnover on the exchange is currently around 500 BTC and the fees are only bringing in 30 BTC per month. The IPO document may very well state that in order for them to get a good return the exchange has to grow to 2000 BTC turnover and 120 BTC monthly income.
Let's see how an IPO where 40% of the Poloniex is sold in order to raise 200 BTC could look, (assuming that investors believe the exchange can grow to 2000 BTC per month turnover, which I do):
Monthly income: 120 BTC
Monthly operational costs (with new security measures in place, Cloudflare, part time security expert, secure hosting etc.): 60 BTC/month
Monthly return to owners (including Tristan): 60 BTC, of which 40% or 24 BTC/month in this scenario goes to the investors as dividend.
Monthly dividend on a 1 BTC investment (assuming the site can grow to 2000 BTC/month turnover) would be: 0.12 BTC
It would take less than 9 months for an investor to get the entire investment back in the above scenario. If you also assume that Poloniex is still standing and successfully operating in 9 months the value of the shares might also have increased to 1,5 BTC (or more) by that time.
5. In regards to the "
insurance fund" mentioned above I suggest that this is something volountary and only for those users who want to take part in it, since it is not a standard feature on any of the current Crypto exchanges as far as I know.
Each user of the site would have the possibility to opt-in to take part of insurance feature anytime they want to, but there would be certain conditions.
Your entire funds may not be insured for example. The total of the fund kept in cold storage will be shown on the "insurance page" and also the amount of BTC that is currently being insured with a percentage shown. So it may very well be that only 55% of your funds are currently insured, but at least then you know that even in a worst-case-scenario where Poloniex is hacked that is the maximum you could lose, quite different from MtGox for example...
There would be conditions imposed on the insured accounts and every insured user would have to follow certain security procedures in order to take part in the insurance scheme.
I mean things like the following:a) Insured users would have to pay a 50%-100% premium on all trading fees, (0,3% instead of 0,2%).
b) Or perhaps an average of their BTC holdings would be calculated each night and a small percentage of that would be deducted as an insurance fee? This would help reduce the number of people who hold large balances on their accounts for long periods of time without trading it, which would also reduce liability for the site in case of an attack.
b) Every insured user would be required to use 2-factor authentication and a minimum 12 character password.
c) Perhaps insured users would be required to submit the IPs (or at least the IP ranges) that they wish to use to login to their accounts.
d) Whatever other security measures can be implemented to make it as secure as possible.
It is clear that after two successful attacks against Poloniex it will continue to be a prime target for hackers and thieves. Tristan needs to have security as the #1 concern for Poloniex from here on, because regardless of how honest he is and how much integrity he has Polniex may not survive another attack...user confidence
will disappear eventually.
The fact that he has been transparent and forthcoming about the mistakes and what happened, as well as pragmatic in his way of solving it, tells me that there is a good chance this could turn into a great business, but
only if he takes the right steps from here
and puts security at the forefront of everything from here on...Tristan, bring in the right people to help you secure the site. You have our confidence that you are honest and trustworthy. Now show that you are also capable of admitting your own weaknesses and bring in the right people to help you.
Just imagine how good we would feel
if people like Mike Hearn who said this upthread:
busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.
Please do the right thing and refund everyones outstanding balances, then wind up your operation.
Imagine if he would come back after your have done the improvements to security and reviews the site and says something along the lines of:
"Yes, there have been some good improvements, and the site actually looks pretty secure now."
Mike is a security specialist at Google so obviously his demands for what is secure and what is not are going to be fairly high... These are the type of people you need to ask for help in securing Poloniex and making it into one of the top Cryptoexchanges.
I believe in you and I think you can do it!
Good luck!
