Bitcoin Forum
November 09, 2024, 08:37:21 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 [38] 39 »
  Print  
Author Topic: BTC Stolen from Poloniex  (Read 167460 times)
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
April 30, 2014, 03:39:20 PM
 #741

I agree - a  situation that allowed multiple threads to submit multiple deposit requests at the same time, and the withdrawal daemon not doublechecking balances before sending the funds is a born of inexperience. I guess my defense comes against all the other accusations - like not paying a "real" programmer, or the call that it's a bad exchange because of a singular, well handled issue.

Your missing the point.  There shouldn't be any double checking.  That is an idiotic (and very flawed) "solution".   This wasn't a bug in the code it was a fundamental misunderstanding of transaction processing.  This is databases 101.  The operations updating the balances should be database transactions.   It would be IMPOSSIBLE for a double payment to occur if the updates were done ATOMICALLY.  http://en.wikipedia.org/wiki/Atomicity_(database_systems)

It is a basic cornerstone of data integrity.  The language, application, or actual code used is irrelevant.  This is something taught at the freshman level in computer science curriculum.  That fact that this seems to come as news to your (or you think the solution is some flawed double checking system) is scary as you are also running an exchange.
allcrypt
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250


View Profile WWW
April 30, 2014, 06:18:19 PM
 #742

I agree - a  situation that allowed multiple threads to submit multiple deposit requests at the same time, and the withdrawal daemon not doublechecking balances before sending the funds is a born of inexperience. I guess my defense comes against all the other accusations - like not paying a "real" programmer, or the call that it's a bad exchange because of a singular, well handled issue.

Your missing the point.  There shouldn't be any double checking.  That is an idiotic (and very flawed) "solution".   This wasn't a bug in the code it was a fundamental misunderstanding of transaction processing.  This is databases 101.  The operations updating the balances should be database transactions.   It would be IMPOSSIBLE for a double payment to occur if the updates were done ATOMICALLY.  http://en.wikipedia.org/wiki/Atomicity_(database_systems)

It is a basic cornerstone of data integrity.  The language, application, or actual code used is irrelevant.  This is something taught at the freshman level in computer science curriculum.  That fact that this seems to come as news to your (or you think the solution is some flawed double checking system) is scary as you are also running an exchange.

So, double checking, to be doubly, quadruply sure, is a flawed idea?

So, do it "right" and then assume that NOTHING ELSE COULD EVER POSSIBLY GO WRONG, and there's no need to double check, because you did it the right way, and it's utterly impossible that anything could be flawed?

Thats thinking is just AS wrong.

Edit: As a side note, all our database operations are transactional. THAT BEING SAID, we also doublecheck at EVERY point of possible failure to ensure that JUST IN CASE, nothing bad happens.

For you to dismiss my argument because they should have been doing what you argue is asinine. Doing single threaded database transactions is absolutely zero guarantee that something can't break.

You double check. Always.

AllCrypt.com - Your new CryptoCurrency Exchange Now Open! www.AllCrypt.com
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
April 30, 2014, 09:54:50 PM
Last edit: June 02, 2014, 08:03:00 PM by DeathAndTaxes
 #743

Database operations involving financial data should be atomic.  If you have implicit atomic operation that are not atomic, you have a lot bigger problems and your dubious "double check" is unlikely to catch them either.  


Do you double check all your math operations as well I mean they might not be right as well?

x= x +5

vs
y = x
y = y +5
assert (y = x + 5)
x = y

my guess is you don't do such silly and worthless double checks because it would be pointless.  If the processor is setting x to anything other than five more than its existing value then well your "double check" is affected as well.  Writing checks to protect yourself from that kind of failure serves no purpose.  When your users login do you hash their password and if it matches then check again?  What if the deterministic computer made a mistake and the password was wrong but it returned true?  Maybe you should do it three times just to "super duper" make sure?

No you perform the operation once and you (should) check once and validate those operations using unit tests.  You use code coverage tools to ensure you are covering all scenarios. If you find bugs then you add unit and integration tests to cover those conditions as well.
Writing code that requires "double checks" is insecure code.  I guarantee your bank doesn't do such nonsense. Please cite a single reputable advising to "double check" atomic operations.

However all that is side tangent to the fact that the site was "hacked" (if you call someone asking for money more than once and getting it a "hack") because FINANCIAL TRANSACTIONS WERE NOT ATOMIC.  The issue wasn't that the double checks weren't "good enough" it was because the site didn't use atomic operations to begin with.  If the site had better "double checks" then it is possible they would have avoided that attack and just fallen for another one.  That is a fundamental flaw, it isn't a bug in the code it is a conceptual problem.   It would be like building a car with no brakes and saying if the person wants to stop they will just take their foot off the gas (as far in advance as necessary).   A car like that wouldn't be one which has some technical issues to work out, it would be fundamentally flawed.  Then you have someone like yourself come along and say it isn't a fundamental flaw, just a bug in development.  Obviously the answer is to make sure the dashboard has a warning light so the user can double check if they should stop accelerating before they end up in a situation where they can't stop in time.  Of course that scenario is just stupid as is a scenario where you use double checks instead of atomic operations to handle money.

Quote
You double check. Always.
Do you think your Bitcoin wallet performs double checks?  Create the tx, then create it again just to be sure it isn't different and if tx1 == tx2 then you are safe?  Why not?  Do you feel it is insecure that it instead relies on atomic operations instead of pointless double checks?

Quote
So, double checking, to be doubly, quadruply sure, is a flawed idea?
There is no such thing as "doubly sure".  You are either right or you are wrong.   A single deterministic check is as good as it gets.  If your check was deterministic then you don't need to double check and if it wasn't then it is a flaw and should be fixed rather than relying on a second (possibly also non-deterministic) check.


allcrypt
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250


View Profile WWW
April 30, 2014, 10:15:40 PM
 #744

No, because none of your arguments make any sense for how an exchange works. You're telling them, and I, that we have no idea how to run an exchange, when you've obviously no idea how they work. You're using hyperbole and silly arguments to try and prove me wrong, and at this point, it's clear that you know you're right even though you obviously don't fully understand how these systems work, and not a damn thing I say will convince you otherwise.

A debate or discussion with someone who is not interested in anything but proving they are right is one not worth having. So, I'm out. Gotta go remove all those silly and unnecessary checkpoints from the code.

AllCrypt.com - Your new CryptoCurrency Exchange Now Open! www.AllCrypt.com
Biomech
Legendary
*
Offline Offline

Activity: 1372
Merit: 1022


Anarchy is not chaos.


View Profile
May 01, 2014, 02:10:48 AM
 #745

That being said - they were the first exchange to have an issue and immediately be not only transparent about it, but also to give the details
This is good, HOWEVER he also received strong warnings from several respected members, pointing out how he was clearly clueless about what he was doing, and he completely ignored them.
Even if he's not actively scamming you, he'll most likely be brought down by "the next big break". It's only a matter of time.


That's hearsay unless you can provide links to comments. Anyone can claim "he was warned!" Just to make him look bad. But that's disingenuous without links to back that up. He cannot disprove a negative. It's on you to show that it happened.

I'm a customer, after the hack, and while I think the interface is ugly, I've had no problems. After the hack, he was warned in this thread about some of his practices and (lack of) knowledge. While I do not think he publicly stated one way or the other if he was hiring programmers, I doubt that he ignored the people who spoke with him on the issue. I don't see it as a huge issue, as long as he HAS implemented better security. That being said, I never leave much in an exchange unless I'm actively trading. It just seems unwise.
nutildah
Legendary
*
Offline Offline

Activity: 3164
Merit: 8565


Happy 10th Birthday to Dogeparty!


View Profile WWW
May 02, 2014, 01:47:16 AM
 #746


I didn't read the 35 middle pages of this thread but have you guys done much exploration of what kinds of transactions the thief address leads to??? He gave a lot of this money to an account that has over $150 million worth of transactions in it!!

Address    1N2f642sbgCMbNtXFajz9XDACDFnFzdXzV

Are they some sort of underground criminal enterprise or something? Dr. Evil would be quite jealous... I hope the feds find this information and bust their stupid asses. Yes, if you make the world a stupider place for a living, you are stupid. It doesn't matter how much money it nets you, you're an idiot.

In case you're wondering if I'm a noob:

<------------ its right under my name.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
counter
Hero Member
*****
Offline Offline

Activity: 798
Merit: 500


Time is on our side, yes it is!


View Profile
May 02, 2014, 01:56:05 AM
 #747

Well with the large amount of coins going missing these days it wouldn't surprise me if there was an elite group of scammers pulling off these heists.
barryzand
Hero Member
*****
Offline Offline

Activity: 574
Merit: 500


Growcoin Chief


View Profile
May 02, 2014, 08:15:39 PM
 #748

POLONIEX is attacked NOW !!!!!!!!!!!!!!!!!!!!


BTC BASTARDS I WILL KILL YOU

yeah, where the hell is the website ?


EDIT:

Quote
Poloniex Exchange ‏@Poloniex  1 hour
Site is down. Working on it.
koshgel
Legendary
*
Offline Offline

Activity: 1162
Merit: 1001


View Profile
May 02, 2014, 09:12:58 PM
 #749

Is there an ETA for how long it will be down?
altcoinherald
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile WWW
May 02, 2014, 10:36:58 PM
 #750

Is there an ETA for how long it will be down?

According to chat room gossip the ETA is unknown.  Grin
DubFX
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250


View Profile
May 03, 2014, 01:25:18 AM
 #751

Is there an ETA for how long it will be down?
Hopefully soon...was it ddos or what?
koshgel
Legendary
*
Offline Offline

Activity: 1162
Merit: 1001


View Profile
May 03, 2014, 02:17:58 AM
 #752

Is there an ETA for how long it will be down?
Hopefully soon...was it ddos or what?

No idea. Seems it's for maintenance but its been awhile
madmartyk
Legendary
*
Offline Offline

Activity: 2702
Merit: 1030


Yes I am a pirate, 300 years too late!


View Profile
May 03, 2014, 02:19:01 AM
 #753

Crap, sent come altcoins there before I knew it was down.  Hope they make it and are safe!!

digit
Legendary
*
Offline Offline

Activity: 1672
Merit: 1014



View Profile WWW
May 03, 2014, 04:15:34 AM
 #754

no exchange should go offline like this using maintenance as a reason :\

Stay Safe and use NO KYC exchanges ■ Craig Wright is NOT Satoshi  ■
BTC:1DigitwteXwFcRAaWpVDRp6eKqzC6y9tgm ■ ŁTC:LKMcEHoFWHAUoRscqW1cwjhLgFrk7MgCWU ■ Coinkit:digit ■ §digit
nutildah
Legendary
*
Offline Offline

Activity: 3164
Merit: 8565


Happy 10th Birthday to Dogeparty!


View Profile WWW
May 03, 2014, 04:19:38 AM
 #755

https://bitcointalk.org/index.php?topic=420836.msg6515293#msg6515293


▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
TotalPanda
Legendary
*
Offline Offline

Activity: 1946
Merit: 1012

vertex output parameter not completely initialized


View Profile
May 03, 2014, 10:19:02 AM
 #756

POLONIEX is attacked NOW !!!!!!!!!!!!!!!!!!!!


BTC BASTARDS I WILL KILL YOU

yeah, where the hell is the website ?


EDIT:

Quote
Poloniex Exchange ‏@Poloniex  1 hour
Site is down. Working on it.

I WAS DRUNK  Roll Eyes
wealthy$
Full Member
***
Offline Offline

Activity: 182
Merit: 100


View Profile
June 02, 2014, 07:09:22 PM
 #757

i really hope they come up soon, i have a lot of coins with them. Sad

DolanDuck
Full Member
***
Offline Offline

Activity: 196
Merit: 101


View Profile
June 02, 2014, 07:18:37 PM
 #758

i really hope they come up soon, i have a lot of coins with them. Sad

Have you really tried to enter the website?
I can access it without any issue since this morning.

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
PRIMEDICE
The Premier Bitcoin Gambling Experience @PrimeDice
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
daibasen
Newbie
*
Offline Offline

Activity: 30
Merit: 0


View Profile
June 27, 2014, 04:35:11 AM
 #759

What's the status with the stolen BTC from Poloniex?
Has everyone been fully reimbursed yet?
KimNam
Hero Member
*****
Offline Offline

Activity: 644
Merit: 500



View Profile
June 27, 2014, 08:07:45 AM
 #760

What's the status with the stolen BTC from Poloniex?
Has everyone been fully reimbursed yet?
I thought they paid all of their debt to customer
that's why we don't see debt coin statistic in our poloniex balance
just to make sure, ask here : https://bitcointalk.org/index.php?topic=420836.0
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 [38] 39 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!