[Payout Updates] Bitcoinica site is taken offline for security investigation

[ineededausername]

Zhou: what were buy_factor and sell_factor set to?  Were they dynamically updated based on current unhedged orders, or were they constants?

[1714854430]

1714854430

[1714854430]

1714854430

[1714854430]

1714854430

[1714854430]

1714854430

[zhoutong]

Zhou: what were buy_factor and sell_factor set to?  Were they dynamically updated based on current unhedged orders, or were they constants?

99% of the time, they are both 1.

I built this in January, when a worker server broke down and under-hedged some orders. They I can adjust the settings to smoothly acquire the under hedged Bitcoins instead of placing a big market order.

[zhoutong]

I was just looking at a piece of code for hedging and saw 3 bugs and numerous hacks to work around flaws. It doesn't surprise me that third time lucky it blows up.

class HedgingJob
...   
    confidence_level = Setting.where(:key => "confidence_level").first.value.to_f
    surplus = Setting.where(:key => "surplus").first.value.to_f
    if Setting.where(:key => "buy_factor").first
      buy_factor = Setting.where(:key => "buy_factor").first.value.to_f
      sell_factor = Setting.where(:key => "sell_factor").first.value.to_f
    else
      buy_factor = 1
      sell_factor = 1
    end

....

        price = Ticker.last_tick("BTCUSD").selling * 1.02
        response = MtGox.buy!(amount, price)
....

I know it's not world-class code, but isn't it just business logic and nothing else?

Nothing else, exactly, thats the point.

Since you posted that code, well.
Its the typical kind of code which assumes everything goes well and works as intended.

There is absolutely zero checks and precautions to protect against anything not as assumed, and moreover, that piece of code does asssume a whole pile of things. Just the thought that such code runs automatically and trades several thousands of $$ makes me feel sick...

Sorry for being so blatant

There's is only one thing outside the bot's control, that is Mt. Gox doesn't accept the orders.

In that case, the buy! call will fail the the program will be queued to retry. Nothing is changed in the database.

There are only one variable, which is the surplus. The rest are constants set by the operator.

[zhoutong]

But for sake of fairness, we should add the following:

Bitcoinica didn't break down because of its code quality. It was due to "other circumstances"

I have to admit that the code quality isn't great, especially for things that are not CRUD.

But Patrick once told me that 90% of Intersango code is business logic (such as working with banks). That relieved me a little bit.

There must be a reason that financial institutions love Java and C#. These languages are more suitable to large-scale projects.

[DILLIGAF]

There must be a reason that financial institutions love Java and C#. These languages are more suitable to large-scale projects.

They also have the backing of large companies that you can sue for billions if shit goes wrong..

[Ichthyo]

There's is only one thing outside the bot's control, that is Mt. Gox doesn't accept the orders.

In that case, the buy! call will fail the the program will be queued to retry. Nothing is changed in the database.

There are only one variable, which is the surplus. The rest are constants set by the operator.

The operator can fuck up. Settings can be misconfigured or inconsistent. The ticker can deliver poisoned values and so on...

The dangerous cases are when things don't blow up outright, but just go astray.

[Ichthyo]

There must be a reason that financial institutions love Java and C#. These languages are more suitable to large-scale projects.

They also have the backing of large companies that you can sue for billions if shit goes wrong..

Those languages are well established, which means there is a huge pool of programmers your can employ.
Another thing which probably plays some role is the fact that both languages are kind of "middle ground": not too low level, but also quite explicit and without much magic.

[zhoutong]

Even though it's someone else's intellectual property, it'll be great if I can get permission from Bitcoinica LP to open source the legacy version of Bitcoinica.

If the code is really rubbish like some Consultancy people said, they shouldn't mind sharing the rubbish. I'm very interested in sharing the code though.

[naima53]

just do not take more claims ... (I think you've already done) Continue to buy for the money customer .. 1 more ... 2 dollars up - and have enough money for that would return 100% of everything.   I am happy and I'll wait. The operation is going well. Bitcoinica save and trust  . You are doing a good job for the community. Or am I wrong?

[superfastkyle]

If a reputable person will setup a legal fund and maintain it I'm offering to donate to the cause. Even though I don't expect to ever get my couple hundred dollars back in btc. I still want to help. Actions speak way louder than words. Right now the owners of bitcoinica obviously think they can put this off indefinitely. They think we are all talk and nothing will happen to them.  How can genjix say that people who are being impatient, must be scammers. We have been patient for over a month. Am I the only one who is infuriated? I told zhoutong that something was happening the night of the attack and they couldn't get the hacker out of their system? What a fail. The hack is irrelevant now though they are just making more and more money as time goes on off our btc

edit: I just wanted to clarify I don't blame this on zhoutong, it does seem like he has been the most helpful and the most willing to try to make things right

[guruvan]

I just want to ask, Was it worth it all you short-selling bastards?

btc is up compared to where it was a month ago. Fuck short-selling! Great job bitcoinica hackers!

That is all!

Fact: Every BTC that gets shorted has to be bought back at a later time.
Fact: Every BTC that gets longed (on leverage) has to be sold back at a later time.

Bitcoinica's effect on the price is _always_ only temporary due to these simple facts.

Assuming they aren't a bucketshop that only does paper trades.

Bingo! and that's why there's been no effect until some weeks later when there's real bank runs in europe.

but then - that's probably why there isn't really enough money to cover the customers, and that's probably why it was "robbed" in the first place - but some fool will tell me I have my tinfoil hat on wrong - and that zhoutong cashing out into USD in a hurry on the forum wasn't a red flag signaling all this.

I'm sorry people but after today's conversation - I am seriously starting to wonder if there is any intention AT ALL to return the funds.

With the negative shit that phantomcircuit has spewed the whole fucking time about zhoutong this, and zhoutong that, and the tone of this conversation http://pastie.org/4096261 I'm starting to get the impression that

1. Not much chance of anyone gettting any money back but
2. badmouthing him is going to assure that you don't

I am sick and goddamn tired of phantomcircuit's bullshit intimidation tactics - but that's ok - karma has a way of fucking people who do that.

Frankly I'm sick of these assholes holding money hostage. But, what can we do - it's wrth nothing to anyone anymore - phantomcircuit & gejix have fucked their reputations on this shit, and they're not gonna have anything at all to show for it.

[guruvan]

I think only the scammers are making noise here to rush the process for their selfish gains.

this line show how wrong you are, you are keeping the ppls money and dont pay any compensation, if you compensate me with lets say 0,1-0,5% from total balance for each day that can be "fair", you keep my funds and i cant join the market, calling ppl scammers show how ignorant you are, ppl join the bitcoin thing for the profit and you dont allow ppl to make a profit

genjix That's a bunch of shit and you fucking know it- but I would expect continued attempts by you to discredit any and all claims.

[Transisto]

I think only the scammers are making noise here to rush the process for their selfish gains.

this line show how wrong you are, you are keeping the ppls money and dont pay any compensation, if you compensate me with lets say 0,1-0,5% from total balance for each day that can be "fair", you keep my funds and i cant join the market, calling ppl scammers show how ignorant you are, ppl join the bitcoin thing for the profit and you dont allow ppl to make a profit

genjix That's a bunch of shit and you fucking know it- but I would expect continued attempts by you to discredit any and all claims.

How much money have you had in there to bother us all with personal attacks ? While I agree on most of what you say, please start a new thread about it,
Sorry ,,,/not your fault/ Following this shit has gotten very tiresome.

[Phinnaeus Gage]

Person behind keyboard instead of robot, VERIFIED.

ROFL!!

Still unverified!

[ninjarobot]

Thanks for sharing the IRC chatlog Guruvan.

[14:18:38] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> frankly if we dont fix this nobody is going to see one red cent after bankruptcy fees and liqudation fees
[14:18:41] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> i looked it up
[14:18:53] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> liquidation costs about a grand per creditor
[14:19:00] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> there would literally be nothing left

Is Bitcoinica LP actively considering bankruptcy and liquidation as an option? Even though only 20% of BTC balances was stolen and all USD deposits are in tact?

Patrick, can you please share where you looked this up? Assuming Bitcoinica LP has 5500 customers, and assuming a customer is a creditor in this case then according to your estimate of a grand per creditor in liquidation fees would come up to a total of USD $5,500,000.00 - that seems a bit steep to me.

[14:29:10] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> my best guess is it would cost about 20 grand just to file the initial complaint
[14:29:22] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> it would cost you probably 100 grand to go to trial
[14:29:25] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> AND YOUD LOSE
[14:29:55] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> so no i dont think there's some mystery attorney out there waiting for file a complaint
[14:30:41] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> oh and as soon as you filled the complaint
[14:31:01] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> your legal costs would go through the roof as everybody simultaneously pointed at everybody else
[14:31:19] <phantomcircuit!~phantomci@c-67-188-9-35.hsd1.ca.comcast.net> so yeah i dont think anybody is even remotely stupid enough to think that's a good way to get their money back

I think only the scammers are making noise here to rush the process for their selfish gains.

Please realize you and Amir are acting as official representatives of Bitcoinica LP. Calling customers that have been waiting for over a month to get their funds back and are considering all options open to them 'scammers' and 'stupid' is not very professional.

Do you think I or many others with funds in Bitcoinica enjoy having to read up in this thread every day to see if anything meaningful has been done or said? I suggest you guys put back the support platform help.bitcoinica.com to deal with customer questions and issues since that is a separate component and much better suited for the purpose.

13 June 15:00: Initial payouts have been made to verified people for 50% of their claim.

I still have not heard a single customer publicly confirm they have received 50% of their deposits in the forum and we are now another 3 days further down the road. Until someone does I have to treat the validity of this announcement with some skepticism.

[xeerog]

Hello angry mob,

I've been silently lurking around and watching these discussions for awhile and like many of you I'm waiting for my medium-sized bitcoinica balance to be sent back.  I just want to throw a few ideas out there.

I have to point one thing out.  Bitcoinica got hacked I think twice before this last fatal blow, and despite that I decided to maintain some money in there.  In assessing the risks, the big things that stood out were that it would be hacked again in a much more serious manner (like what happened), or that there would be some sort of government action that would kill bitcoin and/or shut down bitcoinica without being able to get the money out, or that the bitcoinica operator would simply run with the money like so many others have.  Of course I wasn't hoping for those things to happen, but given where bitcoin's at, given I knew bitcoinica was run almost entirely by one guy who got hacked already, they were serious risks to consider.  I was tempted by the interest rates, and the leverage, to put much more money in, but I held back due to those risks.

Now that's no excuse, of course, for the things they've done horribly wrong.  I have my own consumer-facing services out there not related to bitcoin or any financial mechanism, and even though there's nothing remotely as valuable as a bitcoin wallet there, I put in a few days investment to have database backups at multiple sites, multiple companies, etc.  It's one of many disaster recovery techniques bitcoinica failed at horribly.  The cost/benefit of doing that is a no-brainer.  Even with no hacker, rackspace could have burned down or shut down and had the same result as what we've seen.

And obviously PR and customer service are not in the DNA of any of the parties that now seem responsible at bitcoinica at this point.  Over and over customers have asked for detailed email status updates, for example.  There are services that can send such mass emails, and they are very cheap and easy to use, and abide by the anti-spam laws by allowing people to unsubscribe etc.  The amount of cost and work to set such a thing up and push emails out daily is miniscule and would have done wonders to keep some trust in this crew.

But one thing that seems clear as that these guys are at least working hard to sort this out.  I could be putting my bitcoinica-held money to work in all kinds of ways, and I don't know if I'll ever get it back.  But given the daunting task they face, I'm really not sure what they could be doing better, in terms of processing claims.

So I have to ask -- what could they be doing better in terms of sorting out claims? Granted their communications about the process are horrific in their deficiencies, and the database loss was unforgivable...

but going forward, in terms of actually figuring out who gets what, if anything, what could they be doing differently? They are collecting passwords where they can validate em, trying to match up old records, trying to consider identification, and trying to do it for thousands(?) of users when they have a couple of people who can actually be trusted to work on it, also while they are in the middle of an operational transition of some sort that internally has seemed to have caused a big lack of agreement about who is in charge of what.

[muyuu]

Genjix is wrong by saying that ALL of the noise comes from scammers, obviously. A lot of real, honest users have been wronged by this incident so it's absolutely predictable that not all of them would stick to writing polite emails.

However, some people making noise might be expecting unreasonable compensation (like liquidation at whatever point in time suits them best, or stuff like that). And maybe also the odd scammer is making noise, too.

But saying all noise comes from scammers is definitely over the top, you should take that back Genjix.

[bulanula]

Genjix is wrong by saying that ALL of the noise comes from scammers, obviously. A lot of real, honest users have been wronged by this incident so it's absolutely predictable that not all of them would stick to writing polite emails.

However, some people making noise might be expecting unreasonable compensation (like liquidation at whatever point in time suits them best, or stuff like that). And maybe also the odd scammer is making noise, too.

But saying all noise comes from scammers is definitely over the top, you should take that back Genjix.

How to avoid scammer tag on forum after this debacle ? Claim all the people that complain ARE scammers in the first place !

Genius, I tell you !

[Phinnaeus Gage]

Genjix is wrong by saying that ALL of the noise comes from scammers, obviously. A lot of real, honest users have been wronged by this incident so it's absolutely predictable that not all of them would stick to writing polite emails.

However, some people making noise might be expecting unreasonable compensation (like liquidation at whatever point in time suits them best, or stuff like that). And maybe also the odd scammer is making noise, too.

But saying all noise comes from scammers is definitely over the top, you should take that back Genjix.

How to avoid scammer tag on forum after this debacle ? Claim all the people that complain ARE scammers in the first place !

Genius, I tell you !

Will you quit changing sides, you're confusing me. 

Seriously, this is going to take a while since they have one side who has access to the verified documents, and it's to his best interest to not show those to anybody else, coupled with claiming he won't, and another side that's verifying clients via re-supplied verified documents to match them up with...

This may take longer than I thought.

~Bruno~

[coinft]

I was just looking at a piece of code for hedging and saw 3 bugs and numerous hacks to work around flaws. It doesn't surprise me that third time lucky it blows up.

Care to point out the 3 bugs and various hacks?

I know it's not world-class code, but isn't it just business logic and nothing else?

class HedgingJob
  
  @queue = :normal
  
  def self.perform
    
    confidence_level = Setting.where(:key => "confidence_level").first.value.to_f
    surplus = Setting.where(:key => "surplus").first.value.to_f
    if Setting.where(:key => "buy_factor").first
      buy_factor = Setting.where(:key => "buy_factor").first.value.to_f
      sell_factor = Setting.where(:key => "sell_factor").first.value.to_f
    else
      buy_factor = 1
      sell_factor = 1
    end
    
    if surplus.abs > confidence_level
      amount = surplus.abs - confidence_level
      if surplus > 0
        amount *= buy_factor
        price = Ticker.last_tick("BTCUSD").selling * 1.02
        response = MtGox.buy!(amount, price)
        Setting.change_surplus(0-amount/buy_factor)
      else
        amount *= sell_factor
        price = Ticker.last_tick("BTCUSD").buying / 1.02
        response = MtGox.sell!(amount, price)
        amount = 0 - amount
        Setting.change_surplus(0-amount/sell_factor)
      end
      
      Trade.create(:amount => amount, :price => price, :response => response.to_s[0..253])
    
    end
    
    
    
  end
  
end

There's no excuse to write methods longer than 3-5 lines in ruby, and a functional style would help to understand, verify and test this much better. You should really separate the code which accesses the DB, calculates the amount to buy or sell, and executes the hedging trade with the result for better testability.

Also, unless you still own the code, posting and discussing this openly may get you into hot waters with whoever salvages the remaining pieces of bitcoinica.

-coinft.