Pages:
Author

Topic: BTC Stolen from Poloniex - page 27. (Read 167464 times)

newbie
Activity: 56
Merit: 0
March 04, 2014, 01:00:16 PM
You guys and gals are hopeless. I'll check back on page 56 when communication from op has dropped to nil and you slowly forget about your lost funds. Then I'll link to my post on another exchange's forum when they, too, don't believe that the latest "hack" sounds like BS
legendary
Activity: 1372
Merit: 1022
Anarchy is not chaos.
March 04, 2014, 12:57:34 PM
Quote
guy

Tristan is a guy, he's male. This discussion is not constructive and adds noise to an important thread.

Please keep it on topic.
noted. Will remove my post.
newbie
Activity: 3
Merit: 0
March 04, 2014, 12:57:28 PM
I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

#3 and #4 add too much complexity and may become a source of problems in future.

Just deduct that 12% from the btc pot (excluding new deposits after trade got halted) and return it from fees over time. Add a small tax on withdrawals if you think it is needed. Add a small interest on the paybacks to balance the time needed to recover the full pot (I mean, people will get BTC back in, let's say, 1 or 2 months? Then give them a bit more than they lost, which will compensate also the rise on taxes, but sooner or later you will get it done)

Giving dividends is the same as giving BTC back, in the end, but dividends are slower and not good for you after the debt is payed. Just consider this: is it good to share future benefits with a lot of people once the theft is returned? That is what will happen if you open shares, and honestly, it will be much more clear for _everyone_ to get BTC returned hour by hour or day by day in a global payback.
newbie
Activity: 56
Merit: 0
March 04, 2014, 12:57:13 PM
How is this a security vulnerability that has been known for weeks?  This seems more like a code issue and race conditions rather than something that has only been around for weeks.  The solution is to push all withdrawals to a pendingwithdrawals table that the engine then hits and deducts balance, this way even if the user tries to game the system and has say 5 withdrawals entered at the same time, those withdrawals are in a "pending" table, when the engine grabs them it then checks balances again sequentially on those rows and any withdrawal that the user does not have enough funds for is set to canceled.  This is the type of thing that should be done with ALL user input, orders, cancel orders, etc.

Someone detailed how it could be done on Reddit a few weeks ago, that's how. Bitcoin devs seem to know about it. It is up to exchanges if they want to fortify themselves against such attacks. Apparently, the OP missed the memo.

But I don't want to miss the forest for the trees.
full member
Activity: 140
Merit: 100
March 04, 2014, 12:53:46 PM
Quote
guy

Tristan is a guy, he's male. This discussion is not constructive and adds noise to an important thread.

Please keep it on topic.
hero member
Activity: 574
Merit: 500
March 04, 2014, 12:47:14 PM
The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance

This isn't the right way to fix the problem.

What you need to do is to make sure that users aren't allowed to do two balance-affecting things at the same time.  Otherwise they'll just find another way to cheat you.

Make "check balance" and "reduce balance" atomic.

Checking for negative balances isn't the answer.  Suppose I have 30 BTC and try to very quickly withdraw 10 BTC twice.  Both "check balance" calls see I have 30 BTC, which is enough.  Both "reduce balance" calls set my balance to 20 BTC.  Then you send me two separate 10 BTC payments, my balance has never been negative, and I'm 10 BTC up on the deal.  You need to make sure that the "check balance" and "update balance" happen without anything else relating to that user happen between them.

This is a security issue that has been documented for weeks. OP just didn't keep up with security patches.

How is this a security vulnerability that has been known for weeks?  This seems more like a code issue and race conditions rather than something that has only been around for weeks.  The solution is to push all withdrawals to a pendingwithdrawals table that the engine then hits and deducts balance, this way even if the user tries to game the system and has say 5 withdrawals entered at the same time, those withdrawals are in a "pending" table, when the engine grabs them it then checks balances again sequentially on those rows and any withdrawal that the user does not have enough funds for is set to canceled.  This is the type of thing that should be done with ALL user input, orders, cancel orders, etc.
newbie
Activity: 56
Merit: 0
March 04, 2014, 12:45:54 PM
You guys are being twits.  This guy has been completely transparent and is clearly working hard to rectify the situation.  Would you rather his exchange shut down?  How about every exchange that has had problems?  Let's go back to the days of google docs and getting scammed most of the time.

Running a business is tough, shit doesn't always go perfectly.  What makes the difference is how the managers respond, and busoni's doing everything right.  Get a grip.

This is not a mature market, products are still in development, there's no big money backing these guys.  You want perfection, wait for apple to open an exchange.  By then you'll have missed the bus, but that's ok with me because without you on it bitching all the time it's a much quieter, relaxing ride.

You're a twit for assuming everyone on here is a guy.......perhaps in your fantasy land there are no females.

Do I get extra points for saying him/her above? jk
full member
Activity: 140
Merit: 100
Bored
March 04, 2014, 12:45:26 PM
You guys are being twits.  This guy has been completely transparent and is clearly working hard to rectify the situation.  Would you rather his exchange shut down?  How about every exchange that has had problems?  Let's go back to the days of google docs and getting scammed most of the time.

Running a business is tough, shit doesn't always go perfectly.  What makes the difference is how the managers respond, and busoni's doing everything right.  Get a grip.

This is not a mature market, products are still in development, there's no big money backing these guys.  You want perfection, wait for apple to open an exchange.  By then you'll have missed the bus, but that's ok with me because without you on it bitching all the time it's a much quieter, relaxing ride.

You're a twit for assuming everyone on here is a guy.......perhaps in your fantasy land there are no females.
Who the fuck cares what's the sex of someone on the internet?
hero member
Activity: 644
Merit: 501
March 04, 2014, 12:42:59 PM
I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.

I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:

1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.

Let me know if I'm forgetting an option here.


About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

I will be hiring a security programmer after this is dealt with.

Your openness and honesty in this situation is to be commended. There are a lot of exchanges who could learn the correct way to deal with a security breach by reading this thread.
Once you get all the security in place and the site is back to full operational I will continue to trade on your exchange.

Keep up the good work Tristan.
sr. member
Activity: 266
Merit: 250
March 04, 2014, 12:40:25 PM
No info on the hacker?
legendary
Activity: 924
Merit: 1000
March 04, 2014, 12:40:05 PM
You guys are being twits.  This guy has been completely transparent and is clearly working hard to rectify the situation.  Would you rather his exchange shut down?  How about every exchange that has had problems?  Let's go back to the days of google docs and getting scammed most of the time.

Running a business is tough, shit doesn't always go perfectly.  What makes the difference is how the managers respond, and busoni's doing everything right.  Get a grip.

This is not a mature market, products are still in development, there's no big money backing these guys.  You want perfection, wait for apple to open an exchange.  By then you'll have missed the bus, but that's ok with me because without you on it bitching all the time it's a much quieter, relaxing ride.

You're a twit for assuming everyone on here is a guy.......perhaps in your fantasy land there are no females.
newbie
Activity: 56
Merit: 0
March 04, 2014, 12:39:25 PM
Sorry.. the more minutes that roll by and there's still NO VERY VISIBLE NOTICE ON THE WEBSITE the more this smells like a scam.

Observe: https://poloniex.com/balances

Depositing BTC or other coins? No problem!

OP has everyone's email address. Did you get an email letting you know that something happened? Probably not.

Same shit that Coinmarket did.
member
Activity: 231
Merit: 10
March 04, 2014, 12:34:44 PM
You guys are being twits.  This guy has been completely transparent and is clearly working hard to rectify the situation.  Would you rather his exchange shut down?  How about every exchange that has had problems?  Let's go back to the days of google docs and getting scammed most of the time.

Running a business is tough, shit doesn't always go perfectly.  What makes the difference is how the managers respond, and busoni's doing everything right.  Get a grip.

This is not a mature market, products are still in development, there's no big money backing these guys.  You want perfection, wait for apple to open an exchange.  By then you'll have missed the bus, but that's ok with me because without you on it bitching all the time it's a much quieter, relaxing ride.
newbie
Activity: 56
Merit: 0
March 04, 2014, 12:33:59 PM
The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance

This isn't the right way to fix the problem.

What you need to do is to make sure that users aren't allowed to do two balance-affecting things at the same time.  Otherwise they'll just find another way to cheat you.

Make "check balance" and "reduce balance" atomic.

Checking for negative balances isn't the answer.  Suppose I have 30 BTC and try to very quickly withdraw 10 BTC twice.  Both "check balance" calls see I have 30 BTC, which is enough.  Both "reduce balance" calls set my balance to 20 BTC.  Then you send me two separate 10 BTC payments, my balance has never been negative, and I'm 10 BTC up on the deal.  You need to make sure that the "check balance" and "update balance" happen without anything else relating to that user happen between them.

This is a security issue that has been documented for weeks. OP just didn't keep up with security patches.
full member
Activity: 196
Merit: 100
★Bitvest.io★ Play Plinko or Invest!
March 04, 2014, 12:29:55 PM

I'm sure the good folks here would not think of suing you (and neither would I) but you may want to CYA.

Well let's be honest, you're not going to find a small claims lawyer who would even sue for .12 of a Bitcoin.

Must not be in the US...no case is too petty for an attorney here Wink
legendary
Activity: 1246
Merit: 1000
March 04, 2014, 12:28:48 PM

I'm sure the good folks here would not think of suing you (and neither would I) but you may want to CYA.

Well let's be honest, you're not going to find a small claims lawyer who would even sue for .12 of a Bitcoin.
newbie
Activity: 56
Merit: 0
March 04, 2014, 12:27:16 PM
The transparency is excellent

The issue can be fixed via debt-to-equity swap (issueing shares)

The whole thing gives me the creeps because it is not clear which other marketplaces can have the exact same problem without us knowing. We need a marketplace that got actual real world deposit insurance and regular auditing by an external auditing firm.

Not regulation, but insurance and auditing is key.

Pray tell, what was OP being transparent about? Exactly how much BTC was lost? (xxxxxx.xxxxxxxx) What the transaction IDs are? More useful information? etc
newbie
Activity: 56
Merit: 0
March 04, 2014, 12:23:53 PM
OP.. you said this just a couple of days ago:

"One more thing--about security. Very few Poloniex accounts have been hacked--less than five, I think--but I still think reminders like this don't hurt. ...
This is money we're talking about, which means people will always be trying to steal it. "

When someone asked you about security you avoided it https://bitcointalksearch.org/topic/m.5471836

  • There's nothing visible about security on your website or FAQ
  • It does not appear that you have anyone to secure the website and will be looking to hire someone 'later'
  • when asked about site security you appear to have avoided the question. Isn't this important to discuss?

Further, per your own Terms you are legally liable for the loss that has occurred. You have a very short Terms page. Big mistake. It says only, "You agree not to hold Poloniex liable for any loss of funds resulting from incorrect information provided by you. "

which means you are liable for other losses. Though you say, "These terms and conditions may be changed at any time without notice. By continuing to use the services provided by Poloniex.com, you agree to any and all such changes." it would not apply to previous agreements.

I'm guessing you were an easy target for hackers because you did not have much security. You did not therefore do your best to secure the deposits of clients. And you are liable for the loss.

I'm sure the good folks here would not think of suing you (and neither would I) but you may want to CYA.
legendary
Activity: 2940
Merit: 1333
March 04, 2014, 12:22:14 PM
The next thing that will be done--before markets are unfrozen--is a daemon will be created that continually monitors for negative balances and freezes any account with a negative balance

This isn't the right way to fix the problem.

What you need to do is to make sure that users aren't allowed to do two balance-affecting things at the same time.  Otherwise they'll just find another way to cheat you.

Make "check balance" and "reduce balance" atomic.

Checking for negative balances isn't the answer.  Suppose I have 30 BTC and try to very quickly withdraw 10 BTC twice.  Both "check balance" calls see I have 30 BTC, which is enough.  Both "reduce balance" calls set my balance to 20 BTC.  Then you send me two separate 10 BTC payments, my balance has never been negative, and I'm 10 BTC up on the deal.  You need to make sure that the "check balance" and "update balance" happen without anything else relating to that user happen between them.
newbie
Activity: 28
Merit: 0
March 04, 2014, 12:18:14 PM
I just want to start out by saying, I really appreciate all the work that's been done so far to solve the issue and pay everyone back. I'll give the dev the benefit of the doubt and assume he's not out buying a new car or scheduling a vacation with all the BTC Polenex just lost.

Anyway, I know that withdrawals and trading are both frozen, but what about altcoin deposits? I deposited 4 CGA shortly after everything got frozen and before I found out about it. After 3 hours and 446 confirmations, the CGA I sent still hasn't shown up in my account. Now, I have enough in my personal wallet to be fine with waiting for a while, but I need to know if I'm gonna be able to get that back sometime in the future. It isn't just lost in the blockchain somewhere, right?
Pages:
Jump to: