I am increasing mine to 5% donation. Have you fixed the issue that allowed the individual to do that?
I'm pretty sure he used some kind of software or plugin to submit the post data for a manual withdrawal several times in rapid succession (all within the same second), this resulted in multiple payouts being started before the first payout was completed and his balance was reset to 0.
Automatic withdrawals are not subject to this vulnerability because they are run by the cron job. They cannot be triggered manually.
Manual Withdraws have been disabled completely. Automatic Withdraws are working normally.
I will not re-enable Manual Withdraws until I'm certain the issue has been fixed. So we are safe from this happening again, we just won't be able to do manual withdrawals until I can figure it out.
probably want to consider wrapping the process in a transaction, doing the db updates first (update balance, insert into ledger), then the coin send (if the previous sql succeeded), and if the coin send succeeds commit, otherwise rollback.
Just a suggestion.
That might still be vulnerable to the same kind of attack, I'm not sure.
What I'm thinking is I'm going to separate the actual send function from the front end completely.
Like this :
1. The user hits the withdrawal button and a flag is set in the database.
2. 1 minute later when the cron job runs again it will send the payment, adjust the balance and ledger, and reset the flag.
That way, no matter what you can't trigger multiple payments, you'd just be setting the flag over and over again. It wouldn't have any effect.
It would mean a short delay (up to 1 minute) in sending manual payments, but that's a pretty small inconvenience and it would help prevent new kinds of attacks as well.
Do you have more pools?
