Topic: [ANN][XCP] Counterparty - Pioneering Peer-to-Peer Finance - Official Thread - page 488. (Read 1276923 times)
February 19, 2014, 11:54:11 AM
fkc me, did i just lose all my cash?
February 19, 2014, 11:54:08 AM
XCP appears to have disappeared from Poloniex, the XCP/BTC pair now forwards you to the Nxt/Btc trading pair:
https://poloniex.com/exchange/btc_xcp
https://poloniex.com/exchange/btc_xcp
it also disappeared from the balances.
and its not possible to withdraw BTC.
Yes, I've suspended XCP for now, because there appears to be a serious problem with it.
I think its best that you perhaps try to figure out what actually went wrong than to imply there is a serious problem with XCP. It could very well be an issue with your existing integration with the XCP wallet.
February 19, 2014, 11:54:01 AM
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
From looking at the log of transactions it looks like the attacker's plan was:
1) Withdraw 35k XCP from Poloniex central wallet somehow
2) Redeposit the 35k XCP and dump for BTC
3) Withdraw BTC
4) Withdraw the same 35k XCP, this time permanently as the order book has thinned out and it no longer makes sense to dump for BTC.
I don't see where the XCP protocol is at fault here. The exploit has to do with the initial unauthorized withdrawal of 35k XCP from Poloniex's central wallet. There were no XCP double-spent, printed out of thin air, etc.
The withdrawal occurred without the use of Poloniex's withdrawal system. So, unless he hacked into the wallet server, which I am fairly certain is impossible because there is no route to connect to it on any port--and unless he decided, for some reason, to take only his 35,000 XCP after hacking into the wallet server--this was done in some other way. From his message, it sounded like he found a vulnerability that enabled him to send XCP from any address.
February 19, 2014, 11:49:17 AM
Poloniex was hacked. Busoni in denial
February 19, 2014, 11:49:01 AM
not sure I'm trust operator 
i chat with somebody last week;
i chat with somebody last week;
Quote
01:41:44 921908390: currently the only centralised exchange with xcp/btc pairs is poloniex. got about 85BTC in trade volume so far and hasn't been up for a day yet, not bad.
01:42:00 71298191: go and make a post about how much that site sucks and why 
01:42:19 71298191: and you will do the mankind a good thing 
01:42:24 921908390: well, it just got back up from heavy load
01:42:48 921908390: certainly isn't the smoothest experience, but beggars can't be choosers
01:42:51 71298191: its a scam
01:43:05 71298191: we found security issues on it in 5 minutes
01:43:07 921908390: I've only used it for first time today.
01:43:31 71298191: i'ts a scam or somebody will hack it very soon
01:43:39 71298191: both options are very possible and maybe even combined
01:42:00 71298191: go and make a post about how much that site sucks and why 
01:42:19 71298191: and you will do the mankind a good thing 
01:42:24 921908390: well, it just got back up from heavy load
01:42:48 921908390: certainly isn't the smoothest experience, but beggars can't be choosers
01:42:51 71298191: its a scam
01:43:05 71298191: we found security issues on it in 5 minutes
01:43:07 921908390: I've only used it for first time today.
01:43:31 71298191: i'ts a scam or somebody will hack it very soon
01:43:39 71298191: both options are very possible and maybe even combined
February 19, 2014, 11:47:38 AM
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
From looking at the log of transactions it looks like the attacker's plan was:
1) Withdraw 35k XCP from Poloniex central wallet somehow
2) Redeposit the 35k XCP and dump for BTC
3) Withdraw BTC
4) Withdraw the same 35k XCP, this time permanently as the order book has thinned out and it no longer makes sense to dump for BTC.
I don't see where the XCP protocol is at fault here. The exploit has to do with the initial unauthorized withdrawal of 35k XCP from Poloniex's central wallet. There were no XCP double-spent, printed out of thin air, etc.
This.
The 35k withdrawal had to have been done via Poloniex.
There is no way to sign the tx if you don't have access to the private key, or the attacker would be targetting all the addresses that hold XCP, not just Poloniex account. What Busoni is saying is highly suspicious.
February 19, 2014, 11:44:33 AM
XCP appears to have disappeared from Poloniex, the XCP/BTC pair now forwards you to the Nxt/Btc trading pair:
https://poloniex.com/exchange/btc_xcp
https://poloniex.com/exchange/btc_xcp
it also disappeared from the balances.
and its not possible to withdraw BTC.
Yes, I've suspended XCP for now, because there appears to be a serious problem with it.
February 19, 2014, 11:42:52 AM
I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
i do not get this part
February 19, 2014, 11:40:09 AM
Adding support for matching orders by order hash directly be a huge help in combating the troll.
The troll can still place orders and force sell orders to have higher fees, but buyers can place orders with low fees and sellers can directly match them.
If we don't care about preserving best/bid offer, we could have order matching ONLY by order hash. That way sellers can place their orders, buyers can place their orders, and anyone who wants to make a trade can match directly. Troll orders would be completely ignored. Fees would be kept to the minimum of 0.0001.
The troll can still place orders and force sell orders to have higher fees, but buyers can place orders with low fees and sellers can directly match them.
If we don't care about preserving best/bid offer, we could have order matching ONLY by order hash. That way sellers can place their orders, buyers can place their orders, and anyone who wants to make a trade can match directly. Troll orders would be completely ignored. Fees would be kept to the minimum of 0.0001.
I am all for this and also had proposed the same earlier..... By allowing matching orders directly by order hash the DEX would facilitate a trustless escrow system. There are no other working systems offering this at the moment (that I know off) and implementing this in DEX would make it a first. As the direct matching would be a separate command it should be able to work side by side with the existing order matching system. Combined with a client side reputation based system sellers would be able to sell non BTC assets like XCP to whoever they choose to
February 19, 2014, 11:36:15 AM
XCP appears to have disappeared from Poloniex, the XCP/BTC pair now forwards you to the Nxt/Btc trading pair:
https://poloniex.com/exchange/btc_xcp
https://poloniex.com/exchange/btc_xcp
it also disappeared from the balances.
and its not possible to withdraw BTC.
February 19, 2014, 11:34:59 AM
Awesome.. I had all the XCP i bought at Poloniex..
February 19, 2014, 11:34:16 AM
XCP appears to have disappeared from Poloniex, the XCP/BTC pair now forwards you to the Nxt/Btc trading pair:
https://poloniex.com/exchange/btc_xcp
https://poloniex.com/exchange/btc_xcp
February 19, 2014, 11:32:48 AM
I don't see any evidence that Poloniex was hacked. The guy who dumped messaged me and said that the XCP protocol is not safe. It appears he is correct--there seems to be a major issue with XCP. People noticed that 35,000 XCP were withdrawn as soon as it was deposited--but this was not done using Poloniex's withdrawal system. I've asked the guy for more details. He says he has no intention of keeping the money he made off with.
February 19, 2014, 11:06:37 AM
When does this troll order expire? 0.01738562 BTC/XCP
It won't expire for a while, but it doesn't matter, because any orders to sell XCP for BTC with a non-trivial (e.g. default) 'fee required' will bypass it now. In fact, there are a couple open sell orders, so the next match should happen when someone tries to buy XCP on the distributed exchange.
February 19, 2014, 11:02:57 AM
If poloniex was hacked, wouldn't other altcoins have been stolen?
February 19, 2014, 10:53:49 AM
I think there is only 1 way to perfectly implement this pegged value idea. Create a DAC (Distributed Autonomous Community) whose sole function is to take an amount of BTC as an input and return the same amount of XBTC to you in return. This DAC will run on at least all the underwriters computers. This keeps it as simple as possible. The DAC is trust-less and starts with the 21 Million XBTC. To get the XBTC you have to feed it with BTC. All the accounts would be transparent and really simple - only 1 address is needed for both the BTC and XCP.
This would work for any other crypto-currency too. The only caveat being that the members of the DAC community would have to run the blockchains of each cryptocurrency involved.
This would work for any other crypto-currency too. The only caveat being that the members of the DAC community would have to run the blockchains of each cryptocurrency involved.
Curious of what is a practical way to make such DAC ? How to prove that only nodes in DAC know the private key ?
There is no way to prove that only nodes in the DAC know the private key.
I still think the idea is simple enough (and splendid) to implement and can be done quickly. It needs to be setup by someone with a community standing so that there is enough trust.
February 19, 2014, 10:53:26 AM
Can anyone tell me how the order book is matched in this dump scenario.
1. A sell order was placed for 0.002 for at least 16,000 XCP
2. There were many buy orders greater than 0.002 at least up to 0.011
Do these buy orders get matched to the dump price? If yes, do they get matched @ 0.002 or at their original bid?
1. A sell order was placed for 0.002 for at least 16,000 XCP
2. There were many buy orders greater than 0.002 at least up to 0.011
Do these buy orders get matched to the dump price? If yes, do they get matched @ 0.002 or at their original bid?
Original bid all the way down to 0.002
February 19, 2014, 10:51:51 AM
Our only centralised exchange hacked?!!! 
February 19, 2014, 10:51:13 AM
Can anyone tell me how the order book is matched in this dump scenario.
1. A sell order was placed for 0.002 for at least 16,000 XCP
2. There were many buy orders greater than 0.002 at least up to 0.011
Do these buy orders get matched to the dump price? If yes, do they get matched @ 0.002 or at their original bid?
1. A sell order was placed for 0.002 for at least 16,000 XCP
2. There were many buy orders greater than 0.002 at least up to 0.011
Do these buy orders get matched to the dump price? If yes, do they get matched @ 0.002 or at their original bid?
February 19, 2014, 10:46:05 AM
Well I withdrew everything until I hear back from you guys
Jump to: