Just processed all the outstanding payments on hashbag. I had to stop the payments while I figured out how to re-balance the accounts so it would stop trying to pay more than it could. It was attempting to pay out more than possible and draining itself of funds before payments could be completed, leading to some serious issues with the wallet & affecting payments in the future.
There was a shortfall of roughly 2K SIGT which I couldn't cover, so I had to trim everyone's balances by 5% and then the payouts have worked correctly. Sorry to everyone who was affected, having all of the pool funds stolen had some serious knock-on effects to the payments system which should finally be sorted.
I've set fees on SIGT to 0% for the next week to hopefully offset some of the losses for people.
and what about the missing payouts? I had 2 transactions that never arrived to my wallet
Unfortunately I think they are just gone, I definitely sent the transactions with the wallet (the transaction ID is in the system as you can see) but they never got picked up by the blockchain for some reason or another. Of that I can't be sure, but all of those missing transactions removed the balance from my wallet, so I can't even process them again
There's apparently still 22.5K SIGT in balance in the blockchain from the old wallet, but for all of my attempts at rebuild/scanning/importing to fresh wallets etc, I can't make it spendable. If I can recover that then I can process some of the lost transactions, but since I can't see which ones failed (they all appear as sent in my wallet/system) I'll have to do it on a case by case basis, again only IF I can get that balance back. The admins in the discord have said the blockchain explorer is incorrect and my wallet is correct (there is no balance left). I hope that's not the case? Surely the blockchain explorer is correct??
The pool is now operating on a new fresh wallet so I can try to figure out what's up with the other one without affecting the pool stability.
GL convincing anyone to mine there again. Pretty ballsy.
Well sure, I could have just taken the 30K sigt I just paid out and made up some bullshit about it, at least then I'd be 30K sigt richer and I'd be able to make some money out of this rather than having all my pool fees stolen and operating at a loss. What does it take to please people I wonder?
How do we know the pool owners themselves didn't mess around to quickly siphon off funds, conveniently right before the split?
If pools were in fact hacked, there needs to be disclosure of what happened exactly and what was done to fix it, post wallets so we can check if funds are actually stuck or have been moved around elsewhere, otherwise I don't see why anyone should trust certain pools.
Not accusing anyone (as I never used either of these pools), just saying what the proper actions should be if someone wanted to redeem themselves type of thing.
Vulnerability was that 127.0.0.1 was allowed as an admin IP and somebody spoofed their IP to 127.0.0.1, accessed the consoles and sent funds using the console. Fix was to remove 127.0.0.1 as IP and disallow any kind of IP spoofing-able connections into the admin panel. The patch is in the yiimp github now. I have the IP of the attacker (who also used the same IP to attack the other pools which were affected) and the addresses were the funds were sent.
As far as it goes with the wallet, the blockchain explorer is apparently incorrect. Hashbag was mining to wallet B5fiiZkGkuoiXo6PNXotVDicSUZAG6fcfa, which still has 22.5K balance but none of that is available to the wallet. I installed a new wallet, B7y2B1Lz357byH45TnEaNGZ3BGJhQJrp6B, which is now paying out correctly. I removed some funds from the balances to allow it to pay properly. I still have 1K SIGT available in that wallet in case any more payment issues arise, but hopefully that won't happen.
