Author

Topic: [ANN][XCP] Counterparty - Pioneering Peer-to-Peer Finance - Official Thread - page 457. (Read 1276916 times)

full member
Activity: 216
Merit: 100
The Counterparty team would like to show its appreciation for how professionally busoni has handled everything in the past few days. Accordingly, we’ll be donating the 12 BTC that we set aside to give to the attacker instead to Poloniex, to help busoni recoup the funds that users have lost because of this vulnerability in the code, which he was indeed the first to report to us. We encourage the rest of the Counterparty community to help support this exchange---the first centralised exchange to support trading XCP and BTC. Again, all donations should be directed to <15buRLRW47AY9Md3mpFj17Yp6w4BtfMRjc>.
legendary
Activity: 1120
Merit: 1000
I see some people are still under the mistaken impression that Poloniex was hacked, and that the recent problems were the result of our presence on a centralized exchange. This is not true. The critical flaw was in the PROTOCOL itself. The attacker simply used the exchange as a convenient vector through which to execute his attack.
full member
Activity: 140
Merit: 100

Can somebody from XCP please confirm which of the following statements is true (sparing technical details):

a) Poloniex's server or system was compromised by a malicious attacker who withdrew a large amount of bitcoin
b) Poloniex was running on an XCP chain which was incorrect, and somebody has (legitimately or maliciously) moved XCP to poloniex to sell for BTC, which they have then withdrawn.

Thanks.

sorry to repeat, but as the dev of another currency who is partially responsible for 50-100 btc of coin on poloniex, and 50+ btc there too, I would appreciate an answer.

Poloniex / Tristan seems very decent to me so far, but clarification on the above would really help me move forwards with full confidence.

Here is the chronology of the events as I remember. This might be inaccurate. A dev or busoni might correct any inaccuracy.

a) a bug in the XCP protocol alllowed a hacker to maliciously withdraw 35k XCP from Poloniex hot wallet to one of his address
b) he desposited those 35k XCP immediately after on his Poloniex trading account
c) he sold those 35k XCP on the market for approx X BTC (150?)
d) he withdrew X-35 BTC to one of his address, leaving 35 BTC behind
e) he stole again 35k XCP (that he had just sold) to one of his address with a malicious transaction
f) Poloniex XCP/BTC pair was shut down, and the bug was corrected in a matter of hours. Both malicious transactions were invalidated (and not reversed) by the fixed protocol
g) Later, busoni reverted the transactions of the dump (leaving a 0 XCP balance for the buyers)


Dev or busoni / PM me if something is wrong so I can edit/ delete some parts

Thank you, that's more than enough to warrant my confidence personally and professionally in Tristan / Poloniex.

Much appreciated.
hero member
Activity: 672
Merit: 500

Can somebody from XCP please confirm which of the following statements is true (sparing technical details):

a) Poloniex's server or system was compromised by a malicious attacker who withdrew a large amount of bitcoin
b) Poloniex was running on an XCP chain which was incorrect, and somebody has (legitimately or maliciously) moved XCP to poloniex to sell for BTC, which they have then withdrawn.

Thanks.

sorry to repeat, but as the dev of another currency who is partially responsible for 50-100 btc of coin on poloniex, and 50+ btc there too, I would appreciate an answer.

Poloniex / Tristan seems very decent to me so far, but clarification on the above would really help me move forwards with full confidence.

Here is the chronology of the events as I remember. This might be inaccurate. A dev or busoni might correct any inaccuracy.

a) a bug in the XCP protocol alllowed a hacker to maliciously withdraw 35k XCP from Poloniex hot wallet to one of his address
b) he desposited those 35k XCP immediately after on his Poloniex trading account
c) he sold those 35k XCP on the market for approx X BTC (150?)
d) he withdrew X-35 BTC to one of his address, leaving 35 BTC behind
e) he stole again 35k XCP (that he had just sold) to one of his address with a malicious transaction
f) Poloniex XCP/BTC pair was shut down, and the bug was corrected in a matter of hours. Both malicious transactions were invalidated (and not reversed) by the fixed protocol
g) Later, busoni reverted the transactions of the dump (leaving a 0 XCP balance for the buyers)


Dev or busoni / PM me if something is wrong so I can edit/ delete some parts
sr. member
Activity: 441
Merit: 250
thx for your reply. I would do that but I would prefer to have the option to send amounts to exchanges / forum buyers for trading as well... which would be the way to go here? I installed the client from xnova from his github but that doesnt work (see above). I would go with the client from Jahbit but dont know if this is safe in terms of the bug... that probably are stupid questions. I just dont have the time to go through the whole thread...

Honestly easiest right now is to send the donation via Jimhsu, and then you can figure out the web wallet / GUI once you have more time.  These products are both brand new in last few days and so I might suggest you wait a few weeks until they are bug tested and hardened before you hold your XCP in them.

being able to trade and donating are equally important to me right now. So would be nice if someone could help to answer the questions I put up (is the Jahbit client safe in terms of the bug and is this the easiest way to send xcp?). thx!
full member
Activity: 140
Merit: 100

Can somebody from XCP please confirm which of the following statements is true (sparing technical details):

a) Poloniex's server or system was compromised by a malicious attacker who withdrew a large amount of bitcoin
b) Poloniex was running on an XCP chain which was incorrect, and somebody has (legitimately or maliciously) moved XCP to poloniex to sell for BTC, which they have then withdrawn.

Thanks.

sorry to repeat, but as the dev of another currency who is partially responsible for 50-100 btc of coin on poloniex, and 50+ btc there too, I would appreciate an answer.

Poloniex / Tristan seems very decent to me so far, but clarification on the above would really help me move forwards with full confidence.
newbie
Activity: 37
Merit: 0
Update.

First of all, one reason resuming XCP has been further delayed is that there was another required update that initiated a block chain resync. Resyncing takes about a day, and worse than that, the developers still haven't fixed the "busy error" issue, and I forgot to install my little patch for it after upgrading, so counterpartyd crashed last night. Right now, it is about 3,000 blocks behind. Once it finishes syncing, I will put XCP back up.

Next. The developers brought to my attention that people are still under the impression that the number of missing BTC is 80. This is entirely my fault, as that is the preliminary estimate I gave, and I never updated people after I did the calculations and rolled back the trades. The actual number of missing BTC is 115 -- 150 minus the 35 the hacker left in his account. I can provide the data on this if people want -- the list of trades and withdrawals made by the hacker.

The hacker has not responded for about two days. He still hasn't moved the BTC he took and may still have good intentions, but for now, we're going to have to assume it is lost so we can move on. The amount of BTC owed to people is recorded, and I will pay it off gradually, starting with the 35 BTC left behind by the hacker.

Once the block chain is done syncing, the BTC/XCP market will be resumed, as will deposits and withdrawals.

whats the btc address of the hacker to which 115 btcs went?
member
Activity: 82
Merit: 10
thx for your reply. I would do that but I would prefer to have the option to send amounts to exchanges / forum buyers for trading as well... which would be the way to go here? I installed the client from xnova from his github but that doesnt work (see above). I would go with the client from Jahbit but dont know if this is safe in terms of the bug... that probably are stupid questions. I just dont have the time to go through the whole thread...

Honestly easiest right now is to send the donation via Jimhsu, and then you can figure out the web wallet / GUI once you have more time.  These products are both brand new in last few days and so I might suggest you wait a few weeks until they are bug tested and hardened before you hold your XCP in them.
newbie
Activity: 48
Merit: 0
hello xcp community,


firstly, i would like to thank the developers for the excellent work that they are doing.

i think that this project is the most advanced of all present crypto related initiatives. furthermore, i think that the way the developers are functioning, both professionally and in their fairness is admirable.

i am happy to hear that funds are being raised for the security of the system and this is why i contribute 0.1 BTC - a sum that i believe is supplementary to the 2 BTC i burned initially.

i believe that in the future a further investment will be required from the community and i will be there to do my part.

I have donated some BTC today. All member in Counterparty community should act now. Donate! Donate!
+1
sr. member
Activity: 441
Merit: 250
thx for your reply. I would do that but I would prefer to have the option to send amounts to exchanges / forum buyers for trading as well... which would be the way to go here? I installed the client from xnova from his github but that doesnt work (see above). I would go with the client from Jahbit but dont know if this is safe in terms of the bug... that probably are stupid questions. I just dont have the time to go through the whole thread...
member
Activity: 82
Merit: 10
...the quicker we can move on the less it leaves a neagtive impression...
I would donate too. I could only donate xcp though. If that is possible as well.
Can someone tell me what the easiest way is to be able to send xcp / install a wallet that has the bug fixed?
And I asked this before: with the GUI client from JahBit... (the one from xnova just opens a terminal window and closes right after that) is the bug fix built in? I assume so... but just to make sure.


Thanks for chipping in delulo!  Way to go mate!

Easiest way is to search this list for Jimhsu.  You can send him your private keys and he will help you deposit XCP into the Bug Bounty Program, and he will send the balance back to a 2nd wallet for which you only give him the public keys.  He will also post to this list verifying that you have completed the donation which is good for community spirit!
sr. member
Activity: 441
Merit: 250
...the quicker we can move on the less it leaves a neagtive impression...
I would donate too. I could only donate xcp though. If that is possible as well.
Can someone tell me what the easiest way is to be able to send xcp / install a wallet that has the bug fixed?
And I asked this before: with the GUI client from JahBit... (the one from xnova just opens a terminal window and closes right after that) is the bug fix built in? I assume so... but just to make sure.
member
Activity: 82
Merit: 10

All Poloniex earnings from XCP trading should so go into the donation pot.

I wouldn’t encourage the exchange to open for XCP again for a few weeks to give the bug bounty time.

Also Poloniex should put some of this own funds to the donation pot, due to the lack security behind the withdrawal, that allowed all BTC to be removed.


+1

Jayso043 some very clever and practical ideas.  Please keep posting!  

The idea of leaving the exchange offline until the Bug Bounty program starts to kick-in is an excellent one, so that Busoni doesn't end up bearing all of the costs.
Busoni, would it make sense from your standpoint to openly publish a target of, say [2,500] XCP in the Bug Bounty account, before you bring the exchange back online? Devs does this make sense?

Then, once the exchange does go back on, from a "good hygiene" perspective yes maybe cleanest, fairest, most transparent way for Busoni to aggregate the 2.5% trading fees is by sending these surpluses to the Bug Bounty address, say, each [week], so that as a community we can follow the progress.

Also, while Busoni has endured enormous personal opportunity cost, I also agree that it would be a positive and meaningful display of his long-term commitment and good faith if he could donate a symbolic amount to the Bug Bounty address as soon as possible.  Busoni, do you think that would be doable?
full member
Activity: 140
Merit: 100

Can somebody from XCP please confirm which of the following statements is true (sparing technical details):

a) Poloniex's server or system was compromised by a malicious attacker who withdrew a large amount of bitcoin
b) Poloniex was running on an XCP chain which was incorrect, and somebody has (legitimately or maliciously) moved XCP to poloniex to sell for BTC, which they have then withdrawn.

Thanks.
member
Activity: 82
Merit: 10
you guys all need to chill out.

exchanges charge fees and those fees should cover insurance and security costs such as this.  again assuming there is some level of sophistication in the operations.

the exchange can easily make up the amounts in fees over the course of a few weeks, maybe a couple months at most.

or the exchange can release some bond or stock on XCP and give holders a portion of their future profits to raise the 80 btc and 6100 xcp to cover their obligation.



cannot agree more with the entire post

I think I'll donate some xcp for the poloniex fund, even though I am not directly affected. But Poloniex took the risk as an entrepreneur to take xcp and earned and hopefully will earn money with xcp. The customers also knew that it is alpha software and that something like that could happen.

Do not get me wrong I am totally fine with fundraising, but I do not think it is our obligation to bail-out poloniex. Especially the 80 btc which were withdrawn without a second security check are hard for me to understand. I think Busoni could offer a solution like the one suggested by prophetx for the customers.

Anyway I'll donate 10 XCP for your fund this afternoon, not because it is our obligation to bail you out, but because you took the risk and seem to be behind the project.

+1

I agree that an IOU from Poloniex to each aggrieved party would create some near term stability, maybe this could initially take the form of a public statement of commitment from Busoni.  Could you do this Busoni?  

Most likely you can recover the full amount over the next 45 days by implementing a 2.5% trading fee on Poloniex.

We are all behind you!

newbie
Activity: 18
Merit: 0
The rollback of the invalid transactions (that the hacker used) keeps the integrity for the protocol. The integrity of the protocol means a loss for the new XCP buyers on poloniex, who I could call the new community, assuming that were not involved in the initial burn.

The new community now have zero XCP & BTC, it reflects bad on XCP. We need to raise the XCP between us, rather than expecting Poloniex/busoni to gradually pay back the BTC. I am sure the new community would be happy with the XCP (keep those trades valid).

I look forward to the lottery to encourage donations.
All Poloniex earnings from XCP trading should so go into the donation pot.
Also Poloniex should put some of this own funds to the donation pot, due to the lack security behind the withdrawal, that allowed all BTC to be removed.

It’s in the burned XCP holders interests to donate.

I wouldn’t encourage the exchange to open for XCP again for a few weeks to give the bug bounty time.

sr. member
Activity: 476
Merit: 300
Counterparty Chief Scientist and Co-Founder
First of all, one reason resuming XCP has been further delayed is that there was another required update that initiated a block chain resync. Resyncing takes about a day, and worse than that, the developers still haven't fixed the "busy error" issue, and I forgot to install my little patch for it after upgrading, so counterpartyd crashed last night. Right now, it is about 3,000 blocks behind. Once it finishes syncing, I will put XCP back up.

Ach, sorry about that! PM me with the details of the crash and your patch (I can't find where you originally reported that bug), and I'll fix the issue right away.
member
Activity: 93
Merit: 10
Busoni, from where are you go up to 150BTC???
The hacker maliciously sold 35,000XCP for 0.002 each. It's 70BTC. I'm dont understand how you missed 80 and now 115 BTC.
sr. member
Activity: 602
Merit: 252
Update.

First of all, one reason resuming XCP has been further delayed is that there was another required update that initiated a block chain resync. Resyncing takes about a day, and worse than that, the developers still haven't fixed the "busy error" issue, and I forgot to install my little patch for it after upgrading, so counterpartyd crashed last night. Right now, it is about 3,000 blocks behind. Once it finishes syncing, I will put XCP back up.

Next. The developers brought to my attention that people are still under the impression that the number of missing BTC is 80. This is entirely my fault, as that is the preliminary estimate I gave, and I never updated people after I did the calculations and rolled back the trades. The actual number of missing BTC is 115 -- 150 minus the 35 the hacker left in his account. I can provide the data on this if people want -- the list of trades and withdrawals made by the hacker.

The hacker has not responded for about two days. He still hasn't moved the BTC he took and may still have good intentions, but for now, we're going to have to assume it is lost so we can move on. The amount of BTC owed to people is recorded, and I will pay it off gradually, starting with the 35 BTC left behind by the hacker.

Once the block chain is done syncing, the BTC/XCP market will be resumed, as will deposits and withdrawals.

Great to hear this. We are moving now.
sr. member
Activity: 364
Merit: 250
Owner of Poloniex
Update.

First of all, one reason resuming XCP has been further delayed is that there was another required update that initiated a block chain resync. Resyncing takes about a day, and worse than that, the developers still haven't fixed the "busy error" issue, and I forgot to install my little patch for it after upgrading, so counterpartyd crashed last night. Right now, it is about 3,000 blocks behind. Once it finishes syncing, I will put XCP back up.

Next. The developers brought to my attention that people are still under the impression that the number of missing BTC is 80. This is entirely my fault, as that is the preliminary estimate I gave, and I never updated people after I did the calculations and rolled back the trades. The actual number of missing BTC is 115 -- 150 minus the 35 the hacker left in his account. I can provide the data on this if people want -- the list of trades and withdrawals made by the hacker.

The hacker has not responded for about two days. He still hasn't moved the BTC he took and may still have good intentions, but for now, we're going to have to assume it is lost so we can move on. The amount of BTC owed to people is recorded, and I will pay it off gradually, starting with the 35 BTC left behind by the hacker.

Once the block chain is done syncing, the BTC/XCP market will be resumed, as will deposits and withdrawals.
Jump to: