Topic: [ANN][XCP] Counterparty - Pioneering Peer-to-Peer Finance - Official Thread - page 481. (Read 1276928 times)
February 19, 2014, 08:55:41 PM
What's wrong with poloniex, where are my XCPs?
February 19, 2014, 08:54:56 PM
Quick update of the logo, to make it work on black/gray/white background
http://s27.postimg.org/5hgsn6983/XCP_no_outline_01.png
http://s27.postimg.org/5hgsn6983/XCP_no_outline_01.png
Thanks, Litecoin Widget uses this image in the latest release.
February 19, 2014, 08:36:33 PM
as we know , be a Decentralized crypto coins,so proud with your Decentralized Asset Exchange etc,the roll back will do definitely attack everyone's confidence. it should just be taken seriously with doing that.
It's a serious bug and without fixing it, every XCP sent by others can be spent by everyone who knows this bug. Therefore, this bug has to be fixed and previous invalid XCP transactions have to be rolled back.
February 19, 2014, 08:34:27 PM
February 19, 2014, 08:33:35 PM
May I ask whether my understanding of this issue is correct?
The white hat exploited the XCP bug and get 35K XCP from the exchange and then deposit it back and sell all them to the wall and withdrew part of the BTC he got. Now the bug was fixed and the 35K XCP was rolled back.
If my understanding is correct, then every XCP bought during the dump belongs to the 35K invalid XCP from the white hat. Therefore, after client updates, those XCP will disappear. Then how come people are still asking whether the dump stands or not? The XCP has been rolled back, so the BTC balance has to be rolled back too.
EDIT After a second thought, I realized that the dump just happens in the exchange's trade book and nothing happened on the block chain. Therefore, whether they are legit or not all depends on the exchange.
The white hat exploited the XCP bug and get 35K XCP from the exchange and then deposit it back and sell all them to the wall and withdrew part of the BTC he got. Now the bug was fixed and the 35K XCP was rolled back.
If my understanding is correct, then every XCP bought during the dump belongs to the 35K invalid XCP from the white hat. Therefore, after client updates, those XCP will disappear. Then how come people are still asking whether the dump stands or not? The XCP has been rolled back, so the BTC balance has to be rolled back too.
EDIT After a second thought, I realized that the dump just happens in the exchange's trade book and nothing happened on the block chain. Therefore, whether they are legit or not all depends on the exchange.
February 19, 2014, 08:28:28 PM
as we know , be a Decentralized crypto coins,so proud with your Decentralized Asset Exchange etc,the roll back will do definitely attack everyone's confidence. it should just be taken seriously with doing that.
February 19, 2014, 08:22:28 PM
OK, Blockscan (not updated) show on Poloniex's address 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f amount of 13,154 XCP.
Counterpartyd (version 6) show 48,154 XCP, so
Poloniex did get the 35K back after version update.
Counterpartyd (version 6) show 48,154 XCP, so
Poloniex did get the 35K back after version update.
Can confirm that 6.0 wipes out the relevant transactions:
---
2014-02-19-T19:09:09Central Standard Time Block: 286700
2014-02-19-T19:09:11Central Standard Time Block: 286701
2014-02-19-T19:09:11Central Standard Time Block: 286702
2014-02-19-T19:09:16Central Standard Time Block: 286703
2014-02-19-T19:09:17Central Standard Time Block: 286704
2014-02-19-T19:09:18Central Standard Time Block: 286705
2014-02-19-T19:09:21Central Standard Time Block: 286706
2014-02-19-T19:09:22Central Standard Time Block: 286707
2014-02-19-T19:09:22Central Standard Time Block: 286708
2014-02-19-T19:09:24Central Standard Time Block: 286709
2014-02-19-T19:09:24Central Standard Time Block: 286710
2014-02-19-T19:09:25Central Standard Time Block: 286711
2014-02-19-T19:09:29Central Standard Time Send: 0.0 XCP from 19rVQ91AgrYmbpX6Sjxw6qCoP2Q1YFcn5b to 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f (550188a54801105d506fab507995eb8aef15dfcd4d2d2cbf5e6948b831e92b4c) [invalid: zero quantity]
2014-02-19-T19:09:29Central Standard Time Block: 286712
2014-02-19-T19:09:31Central Standard Time Block: 286713
---
Some sort of resolution to make the most parties happy still has to occur on poloniex before trading can be opened up. The most agreeable resolution would be for the hacker to return the BTCs, all trades after block 286712 to be cancelled, and the BTC refunded as appropriate. I don't know about the XCPs withdrawn from purchasing at the dump.
Again I should emphasize that such incidents are hardly unique to any coin. Bitcoin had similarily serious issues at a far more mature stage, and Nxt just has a critical issue last week despite a much larger market cap.
February 19, 2014, 08:22:13 PM
As far as I understand it, all the XCP the white hat withdrew from Poloniex will be returned via the current Patch 0.61, only the BTC he withdrew remain in his honest (?) hands. Lets make that bounty worth his while. Also holding on to the XCP wouldnt make too much sense right now because the price will probably dive in the short-medium term.
I don't quite get it - does it mean that anyone who auto-bought these transferred XCP's for low prices, will be out of their BTC's?
February 19, 2014, 08:10:54 PM
OK, Blockscan (not updated) show on Poloniex's address 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f amount of 13,154 XCP.
Counterpartyd (version 6) show 48,154 XCP, so
Poloniex did get the 35K back after version update.
Counterpartyd (version 6) show 48,154 XCP, so
Poloniex did get the 35K back after version update.
February 19, 2014, 08:07:58 PM
Was it mentioned if the hacker/white hat was going to return the BTC that they withdrew?
If they don't return that BTC, Poloniex would be out of pocket in a huge way.
I hope we can pull together an adequate bounty for the white hat such that they will return all BTC.
If they don't return that BTC, Poloniex would be out of pocket in a huge way.
I hope we can pull together an adequate bounty for the white hat such that they will return all BTC.
He said he would, but I haven't heard from him since he explained the vulnerability. My guess is he is waiting on the block chain rebuild to see where he stands with XCP.
If all the XCP gets returned to the Poloniex account, then the dump will stand, and he can keep the BTC. If not... then let's hope he returns it, and I'm going to have to roll back some trades.
Hmmm...its still feeling like the fair and reasonable thing to do under the circumstances is to offer the hacker a fair-market rate bounty for identifying the exploit... Then the onus would be on the hacker to choose how s/he will be remembered in history.
Either s/he chooses to become a whitehat, a hero. And can live with fame, personal pride, and good karma ... not to mention much respect, trust, and future opportunity from within this community!
Or s/he chooses to be a blackhat, a thief. And inevitably experience some guilty conscience, maybe loss of sleep, bad karma in this life ... possibly the next life too =(
Lets get this bounty sorted out, and then hopefully our hacker will make the right decision!
Analysis of a few Bug Bounty Programs:
- Coinbase's Bug Bounty Program: minimum $1000 of BTC
- GitHub's Bug Bounty Program: $1000 - $5000
- Facebook's Bug Bounty Program: minimum $500; the biggest bounty paid by Facebook ever was $33,500.00, http://www.theregister.co.uk/2014/01/24/facebook_bug_bounty_payout/
- Google's Security Program: $100 - $20,000; here is a detailed table showing how bugs are priced, http://www.google.com/about/appsecurity/reward-program/
Judging from the precedents, perhaps a bounty on the order of $10,000 - $20,000 would be appropriate. This would be 2x - 4x the highest bounty paid by GitHub, on the high end of what Google pays, and a handsome reward for our whitehat (?).
$10,000 = 16 BTC @ $625 USD / BTC
16 BTC = 1300 XCP @ 0.012 BTC / XCP
So, if we wanted to do a $10,000 bounty it would be 1300 XCP, if we wanted to do $20,000 bounty it would be 2600 XCP.
Earlier on this thread there were at least 12 people committing 100 XCP or 10% of their holdings, so if we rally together a bounty of 1300 - 2600 XCP should be feasible.
February 19, 2014, 07:56:05 PM
Was it mentioned if the hacker/white hat was going to return the BTC that they withdrew?
If they don't return that BTC, Poloniex would be out of pocket in a huge way.
I hope we can pull together an adequate bounty for the white hat such that they will return all BTC.
If they don't return that BTC, Poloniex would be out of pocket in a huge way.
I hope we can pull together an adequate bounty for the white hat such that they will return all BTC.
He said he would, but I haven't heard from him since he explained the vulnerability. My guess is he is waiting on the block chain rebuild to see where he stands with XCP.
If all the XCP gets returned to the Poloniex account, then the dump will stand, and he can keep the BTC. If not... then let's hope he returns it, and I'm going to have to roll back some trades.
a) It doesn't make sense to forcefully take the users XCP, and sell it at 0.002 , when they never intended to sell it at that price.
b) The 35k XCP also includes XCP from users who purchased them on previous day and are holding them at exchanges.
February 19, 2014, 07:47:41 PM
So what is the end decision.
Will XCP trades be rolled back? If that happens, won't everyone that bought at 0.002 lose because they lose their bitcoins and their xcp?
Will XCP trades be rolled back? If that happens, won't everyone that bought at 0.002 lose because they lose their bitcoins and their xcp?
February 19, 2014, 07:41:16 PM
That's the one thing thats kinda cool about not having mining pools to generate coins, is that when something like this happens, its actually possible for the developers to referee.. I am not quite sure that this is what Satoshi wanted. I believe he would have stood by the decision to let the negative consequences of the bug stand and allow the hacker to keep or give back at his discretion.
I would say Satoshi would be more interested in the negative consequences of a trustless system than the positive benefits of a trust-based system where we can simply decide to make roll backs on the block chain. I would assume just the possibility that human intervention is possible with such ease where so many balances are at stake would not be within the vision of a trustless protocol. That being said, many will disagree just based on the fact that they would not be able to see beyond their own balances as to what would be the correct implementation. And I understand that. As I would prefer a rollback personally had I lost a serious amount of XCP.
Keep in mind though something like this would be much harder to do with a mineable coin. So the real question is where do we go from here. Do we allow the possibility for a referee ? With Bitcoin of course this isn't possible unless you could somehow convince 51% or more to rollback (noob assumption, not sure)
Anyways, my 2 1/2 cents.
I would say Satoshi would be more interested in the negative consequences of a trustless system than the positive benefits of a trust-based system where we can simply decide to make roll backs on the block chain. I would assume just the possibility that human intervention is possible with such ease where so many balances are at stake would not be within the vision of a trustless protocol. That being said, many will disagree just based on the fact that they would not be able to see beyond their own balances as to what would be the correct implementation. And I understand that. As I would prefer a rollback personally had I lost a serious amount of XCP.
Keep in mind though something like this would be much harder to do with a mineable coin. So the real question is where do we go from here. Do we allow the possibility for a referee ? With Bitcoin of course this isn't possible unless you could somehow convince 51% or more to rollback (noob assumption, not sure)
Anyways, my 2 1/2 cents.
I hope this is some kind of edge case where still in Alpha no serious money has been spent and not much damage can be done by doing something like this. Also the attack is apparently a showcase of fraudulent abuse, so no one would contradict. But I would like the devs to make a statement like this as well.
If we allow further "corrections" at will on the hands of a few in power how could we ever gain the trust of the common user?
Intervention by "relatively small groups" is hardly unique to counterparty. Most people talk about the infamous bitcoin fork, but the bug that most closely parallels today's is the integer overflow bug back in 2010. And yes, in both of those cases a relatively small group of developers (who represent the community) intervened (the second case being downloading some random user's working blockchain). The community admittedly was very different then (satoshi was still around, for Christ's sake), and most people here (including me) weren't around.
February 19, 2014, 07:40:15 PM
1) trolls could attack XBTC/BTC like they did to XCP/BTC.
2) x BTC needs to be put in a public address for x XBTC to circulate in counterparty.
2) x BTC needs to be put in a public address for x XBTC to circulate in counterparty.
1) They wouldn't be able to attack XBTC because
a) BTC cannot be held in escrow
b) XBTC can be held in escrow
This means that:
i) Someone cannot make an order without adequate XBTC
ii) Counterparty will hold in escrow XBTC so they cannot revoke their side of the order
2) As discussed XBTC would remain as an artificially constrained asset. This has the effect of tending to return back to market value.
You could think of XBTC <--> BTC as a gateway service.
February 19, 2014, 07:39:44 PM
That's the one thing thats kinda cool about not having mining pools to generate coins, is that when something like this happens, its actually possible for the developers to referee.. I am not quite sure that this is what Satoshi wanted. I believe he would have stood by the decision to let the negative consequences of the bug stand and allow the hacker to keep or give back at his discretion.
I would say Satoshi would be more interested in the negative consequences of a trustless system than the positive benefits of a trust-based system where we can simply decide to make roll backs on the block chain. I would assume just the possibility that human intervention is possible with such ease where so many balances are at stake would not be within the vision of a trustless protocol. That being said, many will disagree just based on the fact that they would not be able to see beyond their own balances as to what would be the correct implementation. And I understand that. As I would prefer a rollback personally had I lost a serious amount of XCP.
Keep in mind though something like this would be much harder to do with a mineable coin. So the real question is where do we go from here. Do we allow the possibility for a referee ? With Bitcoin of course this isn't possible unless you could somehow convince 51% or more to rollback (noob assumption, not sure)
Anyways, my 2 1/2 cents.
I would say Satoshi would be more interested in the negative consequences of a trustless system than the positive benefits of a trust-based system where we can simply decide to make roll backs on the block chain. I would assume just the possibility that human intervention is possible with such ease where so many balances are at stake would not be within the vision of a trustless protocol. That being said, many will disagree just based on the fact that they would not be able to see beyond their own balances as to what would be the correct implementation. And I understand that. As I would prefer a rollback personally had I lost a serious amount of XCP.
Keep in mind though something like this would be much harder to do with a mineable coin. So the real question is where do we go from here. Do we allow the possibility for a referee ? With Bitcoin of course this isn't possible unless you could somehow convince 51% or more to rollback (noob assumption, not sure)
Anyways, my 2 1/2 cents.
Hey halfcab123, really good observation about wanting to stay pure with a trustless system, but, the reason that the situation happened is because there was a technical glitch. If a technical glitch happened with a mined coin, I am absolutely confident that the mining community would be unanimous in its vote to fix the glitch and roll-back... yah? Or do you see it differently?
February 19, 2014, 07:33:57 PM
That's the one thing thats kinda cool about not having mining pools to generate coins, is that when something like this happens, its actually possible for the developers to referee.. I am not quite sure that this is what Satoshi wanted. I believe he would have stood by the decision to let the negative consequences of the bug stand and allow the hacker to keep or give back at his discretion.
I would say Satoshi would be more interested in the negative consequences of a trustless system than the positive benefits of a trust-based system where we can simply decide to make roll backs on the block chain. I would assume just the possibility that human intervention is possible with such ease where so many balances are at stake would not be within the vision of a trustless protocol. That being said, many will disagree just based on the fact that they would not be able to see beyond their own balances as to what would be the correct implementation. And I understand that. As I would prefer a rollback personally had I lost a serious amount of XCP.
Keep in mind though something like this would be much harder to do with a mineable coin. So the real question is where do we go from here. Do we allow the possibility for a referee ? With Bitcoin of course this isn't possible unless you could somehow convince 51% or more to rollback (noob assumption, not sure)
Anyways, my 2 1/2 cents.
I would say Satoshi would be more interested in the negative consequences of a trustless system than the positive benefits of a trust-based system where we can simply decide to make roll backs on the block chain. I would assume just the possibility that human intervention is possible with such ease where so many balances are at stake would not be within the vision of a trustless protocol. That being said, many will disagree just based on the fact that they would not be able to see beyond their own balances as to what would be the correct implementation. And I understand that. As I would prefer a rollback personally had I lost a serious amount of XCP.
Keep in mind though something like this would be much harder to do with a mineable coin. So the real question is where do we go from here. Do we allow the possibility for a referee ? With Bitcoin of course this isn't possible unless you could somehow convince 51% or more to rollback (noob assumption, not sure)
Anyways, my 2 1/2 cents.
I hope this is some kind of edge case where still in Alpha no serious money has been spent and not much damage can be done by doing something like this. Also the attack is apparently a showcase of fraudulent abuse, so no one would contradict. But I would like the devs to make a statement like this as well.
If we allow further "corrections" at will on the hands of a few in power how could we ever gain the trust of the common user?
February 19, 2014, 07:20:40 PM
That's the one thing thats kinda cool about not having mining pools to generate coins, is that when something like this happens, its actually possible for the developers to referee.. I am not quite sure that this is what Satoshi wanted. I believe he would have stood by the decision to let the negative consequences of the bug stand and allow the hacker to keep or give back at his discretion.
I would say Satoshi would be more interested in the negative consequences of a trustless system than the positive benefits of a trust-based system where we can simply decide to make roll backs on the block chain. I would assume just the possibility that human intervention is possible with such ease where so many balances are at stake would not be within the vision of a trustless protocol. That being said, many will disagree just based on the fact that they would not be able to see beyond their own balances as to what would be the correct implementation. And I understand that. As I would prefer a rollback personally had I lost a serious amount of XCP.
Keep in mind though something like this would be much harder to do with a mineable coin. So the real question is where do we go from here. Do we allow the possibility for a referee ? With Bitcoin of course this isn't possible unless you could somehow convince 51% or more to rollback (noob assumption, not sure)
Anyways, my 2 1/2 cents.
I would say Satoshi would be more interested in the negative consequences of a trustless system than the positive benefits of a trust-based system where we can simply decide to make roll backs on the block chain. I would assume just the possibility that human intervention is possible with such ease where so many balances are at stake would not be within the vision of a trustless protocol. That being said, many will disagree just based on the fact that they would not be able to see beyond their own balances as to what would be the correct implementation. And I understand that. As I would prefer a rollback personally had I lost a serious amount of XCP.
Keep in mind though something like this would be much harder to do with a mineable coin. So the real question is where do we go from here. Do we allow the possibility for a referee ? With Bitcoin of course this isn't possible unless you could somehow convince 51% or more to rollback (noob assumption, not sure)
Anyways, my 2 1/2 cents.
February 19, 2014, 07:08:37 PM
Was it mentioned if the hacker/white hat was going to return the BTC that they withdrew?
If they don't return that BTC, Poloniex would be out of pocket in a huge way.
I hope we can pull together an adequate bounty for the white hat such that they will return all BTC.
If they don't return that BTC, Poloniex would be out of pocket in a huge way.
I hope we can pull together an adequate bounty for the white hat such that they will return all BTC.
He said he would, but I haven't heard from him since he explained the vulnerability. My guess is he is waiting on the block chain rebuild to see where he stands with XCP.
If all the XCP gets returned to the Poloniex account, then the dump will stand, and he can keep the BTC. If not... then let's hope he returns it, and I'm going to have to roll back some trades.
Hmmm...its still feeling like the fair and reasonable thing to do under the circumstances is to offer the hacker a provably fair-market rate bounty for identifying the exploit... Then the onus would be on the hacker to choose how s/he will be remembered in history.
Either s/he chooses to become a whitehat, a hero. And can live with personal pride, satisfaction, and good karma ... not to mention much respect, trust, and future opportunity from within this community!
Or s/he chooses to be a blackhat, a thief. And inevitably experience some guilty conscience, maybe loss of sleep, bad karma in this life ... possibly the next life too =(
Hopefully this community can rally together to propose a fair-market rate bounty, and our hacker makes the right decision!
As far as I understand it, all the XCP the white hat withdrew from Poloniex will be returned via the current Patch 0.61, only the BTC he withdrew remain in his honest (?) hands. Lets make that bounty worth his while. Also holding on to the XCP wouldnt make too much sense right now because the price will probably dive in the short-medium term.
February 19, 2014, 06:59:52 PM
Hi Busoni- what'up with the site? cant get on it for the past 20 minutes
also- just before it went dead - I made a withdrawal of 2BTC received an email confirmation request that also cant connect the the site- so obviously cant confirm
Oops! Google Chrome could not find www.poloniex.com
Google Search
also- just before it went dead - I made a withdrawal of 2BTC received an email confirmation request that also cant connect the the site- so obviously cant confirm
Oops! Google Chrome could not find www.poloniex.com
Google Search
weird... its working for me
here it is still dead.... maybe accessing different servers? all other sites work well at 100mgps
Just came back after 30 minutes and confirmed withdrawal. I guess a server issue. back to normal !
February 19, 2014, 06:57:29 PM
Hi Busoni- what'up with the site? cant get on it for the past 20 minutes
also- just before it went dead - I made a withdrawal of 2BTC received an email confirmation request that also cant connect the the site- so obviously cant confirm
Oops! Google Chrome could not find www.poloniex.com
Google Search
also- just before it went dead - I made a withdrawal of 2BTC received an email confirmation request that also cant connect the the site- so obviously cant confirm
Oops! Google Chrome could not find www.poloniex.com
Google Search
weird... its working for me
here it is still dead.... maybe accessing different servers? all other sites work well at 100mgps
Jump to: