Got a response from the guy, he explained the vulnerability. I am now contacting the devs privately.
Poloniex was not hacked.
Topic: [ANN][XCP] Counterparty - Pioneering Peer-to-Peer Finance - Official Thread - page 487. (Read 1276923 times)
February 19, 2014, 12:25:22 PM
February 19, 2014, 12:25:00 PM
The important matter is did the attacker withdraw the btc he received from dumping the XCP?
If not, the orders can be reversed and the private keys can be changed.
According to busoni attacker didn't withdraw all his btc ergo some was left behind and some was withdrawn. How much he has withdrawn has not specified. If not, the orders can be reversed and the private keys can be changed.
February 19, 2014, 12:22:40 PM
busoni,my xcp balance will back to poloniex account
and can withdraw?
and can withdraw?
February 19, 2014, 12:19:26 PM
The important matter is did the attacker withdraw the btc he received from dumping the XCP?
If not, the orders can be reversed and the private keys can be changed.
If not, the orders can be reversed and the private keys can be changed.
February 19, 2014, 12:16:04 PM
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?
He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else.
He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft.
I feel like you are making grand show out of pointing out a potential flaw in a very public manner.
"Ya i've heard satoshi built a kill-switch into the genesis block of bitcoin and can tank it at any time".
See what I did there? Who the fuck knows? but talking about it out in the open is only going to frighten the lesser informed individuals.
This is something that should be discussed with the developers directly. Not tossed about on the forums for weak hands to see.
February 19, 2014, 12:15:02 PM
XCP is not at fault here. Its Poloniex.
The original 35000 withdrawal from 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f (Poloniex address) was signed by that private key to complete the withdrawal/send. The attacker somehow got access to process the transaction from Poloniex account. If he didn't, that means there is a huge flaw in Bitcoin. Which I highly doubt. I think Busoni is lying, and this whole thing was staged. But that's just my opinion. I never used Poloniex, and don't plan on it.
https://blockchain.info/tx/17d02a863919b7338e892d7a7da05f6e6529e5b97e3391d700a802b175978915
The original 35000 withdrawal from 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f (Poloniex address) was signed by that private key to complete the withdrawal/send. The attacker somehow got access to process the transaction from Poloniex account. If he didn't, that means there is a huge flaw in Bitcoin. Which I highly doubt. I think Busoni is lying, and this whole thing was staged. But that's just my opinion. I never used Poloniex, and don't plan on it.
https://blockchain.info/tx/17d02a863919b7338e892d7a7da05f6e6529e5b97e3391d700a802b175978915
Those are internal Poloniex addresses, that is the XCP being moved into the main wallet.
February 19, 2014, 12:13:09 PM
The stolen 35,000 XCP was sent to 1HMoHdzaHm9cHR8FjekGRtkkydoHfgaC8S.
I just checked the Poloniex BTC wallet's transaction history, and nothing was ever sent to 1HMoHdzaHm9cHR8FjekGRtkkydoHfgaC8S.
To me, that says he sent it without hacking Poloniex.
I just checked the Poloniex BTC wallet's transaction history, and nothing was ever sent to 1HMoHdzaHm9cHR8FjekGRtkkydoHfgaC8S.
To me, that says he sent it without hacking Poloniex.
February 19, 2014, 12:12:43 PM
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?
He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else.
He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft.
We also want to work on this. Please give more details
Uhhhhhhh..............no. Please do not give more details. If it is a fault with XCP the only people he should be sharing details with are the devs.
February 19, 2014, 12:11:32 PM
newbie question here,
If I don't have the counterparty/XCP wallet program installed yet, but I want to withdraw my XCP from Poloniex (assuming I can!), can I just send it to a bitcoin address that I control? And then later, import that bitcoin address into the XCP wallet program?
(In other words, am I right in understanding that my XCP address is just a bitcoin address I own?) How would I later "import" it into XCP?
If I don't have the counterparty/XCP wallet program installed yet, but I want to withdraw my XCP from Poloniex (assuming I can!), can I just send it to a bitcoin address that I control? And then later, import that bitcoin address into the XCP wallet program?
(In other words, am I right in understanding that my XCP address is just a bitcoin address I own?) How would I later "import" it into XCP?
You assumptions are correct. As long as you can control your private key you will be able to control the XCP associated with it and where ever you want to import it.
February 19, 2014, 12:11:06 PM
The original 35000 withdrawal from 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f (Poloniex address) was signed by that private key to complete the withdrawal/send. The attacker somehow got access to process the transaction from Poloniex account. If he didn't, that means there is a huge flaw in Bitcoin.
https://blockchain.info/tx/17d02a863919b7338e892d7a7da05f6e6529e5b97e3391d700a802b175978915
https://blockchain.info/tx/17d02a863919b7338e892d7a7da05f6e6529e5b97e3391d700a802b175978915
February 19, 2014, 12:09:03 PM
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?
He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else.
He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft.
We also want to work on this. Please give more details
February 19, 2014, 12:06:25 PM
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?
He said "the XCP protocol is not safe, as anyone can spend any XCP present." And the evidence on Poloniex is that this is true. He made a legitimate deposit to get a balance on Poloniex, then took the XCP without using Poloniex's withdrawal system, so his balance was not subtracted. If he had hacked Poloniex and gotten privileges to cover up a withdrawal, there would be no need for the legit deposit. The actions are consistent with him having some way of whisking the XCP out of the central wallet. And unless this is a vulnerability with XCP, the only way to do that would be to have total access to the wallet server, and as I said, he didn't take anything else.
He expressed a desire to work the problem out. It seems to have been a demonstration rather than a theft.
February 19, 2014, 12:06:05 PM
Holy shit. I wake up to this 
People... for the love of god don't panic until we know all the facts. Don't mindlessly dump your XCP at the first opportunity (or do, as long as it's into my hands).
People... for the love of god don't panic until we know all the facts. Don't mindlessly dump your XCP at the first opportunity (or do, as long as it's into my hands).
February 19, 2014, 12:00:38 PM
Poloniex was hacked. Busoni in denial
Guys, I'm looking into it. I'm just telling you what I know, and what the guy said to me. As someone pointed out, if someone hacked Poloniex and got the level of access needed to withdraw that much XCP, he would have taken a lot more. He didn't even withdraw all the BTC out of his account after selling.
Now I just want to cancel my order, what should I do?
February 19, 2014, 12:00:02 PM
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
I don't understand.
Busoni if what you are saying is right than all users XCP and BTC are safe?
February 19, 2014, 11:58:46 AM
When does this troll order expire? 0.01738562 BTC/XCP
It won't expire for a while, but it doesn't matter, because any orders to sell XCP for BTC with a non-trivial (e.g. default) 'fee required' will bypass it now. In fact, there are a couple open sell orders, so the next match should happen when someone tries to buy XCP on the distributed exchange.
thanks, that's what the answer I was looking for !
February 19, 2014, 11:56:52 AM
Honesty is best policy
February 19, 2014, 11:56:38 AM
Poloniex was hacked. Busoni in denial
Guys, I'm looking into it. I'm just telling you what I know, and what the guy said to me. As someone pointed out, if someone hacked Poloniex and got the level of access needed to withdraw that much XCP, he would have taken a lot more. He didn't even withdraw all the BTC out of his account after selling.
Alright, thanks. Let's hope for the best!
February 19, 2014, 11:56:02 AM
The withdrawal occurred without the use of Poloniex's withdrawal system. So, unless he hacked into the wallet server, which I am fairly certain is impossible because there is no route to connect to it on any port--and unless he decided, for some reason, to take only his 35,000 XCP after hacking into the wallet server--this was done in some other way. From his message, it sounded like he found a vulnerability that enabled him to send XCP from any address.
Show us some proof of attackers messages.
February 19, 2014, 11:55:21 AM
Poloniex was hacked. Busoni in denial
Guys, I'm looking into it. I'm just telling you what I know, and what the guy said to me. As someone pointed out, if someone hacked Poloniex and got the level of access needed to withdraw that much XCP, he would have taken a lot more. He didn't even withdraw all the BTC out of his account after selling.
Jump to: