I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life.
I think I should have a poll to determine how to pay the funds back. Here are the options I'm thinking:
1. Pay back over time with exchange fees.
2. Same as #1, but raise fees to expedite.
3. Sell shares of Poloniex to cover the debt; dividends paid regularly.
4. Award such shares to everyone immediately and consider that repayment.
Let me know if I'm forgetting an option here.
About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.
I will be hiring a security programmer after this is dealt with.
Topic: BTC Stolen from Poloniex - page 29. (Read 167444 times)
Guys, I want to vouch personally for Busoni, a week or two ago I had accidentally deposited .6 BTC into my PMC wallet by mistake on Polo. Busoni personally went out of the way to retrieve it for me, even coming to Bitcointalk to seek help on how to solve the issue. If he was a thief he could easily have said, "sorry there is no fix" and run off with it himself. I thought my money was lost but he came through and i'm sure he will come through again for everyone affected by this mess.
One anonymous poster vouching for another?
"If he was a thief he could easily have..." could apply to anyone before they do something wrong. But anyway.
It's a good exchange, sure. And I hope that all is the way that is said. I'm just suggesting that we not automatically assume that everything anonymous people say on the internet is true, especially when it comes to money.
Guys, I want to vouch personally for Busoni, a week or two ago I had accidentally deposited .6 BTC into my PMC wallet by mistake on Polo. Busoni personally went out of the way to retrieve it for me, even coming to Bitcointalk to seek help on how to solve the issue. If he was a thief he could easily have said, "sorry there is no fix" and run off with it himself. I thought my money was lost but he came through and i'm sure he will come through again for everyone affected by this mess.
Love all the negativity in the forum. You guys are just great!
Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.
In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.
In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
A careful eye is far from negative. It is foolhardy to blindly trust what an anonymous person types on a computer.
Why should we automatically trust someone just because they put a few nice paragraphs together?
I want my BTC back as much as the next person but until I have 100% of it, I'm not buying it.
I think what we've seen from Mt.Gox where you have a very public figure like Mark is that you can't really trust anyone in this baby market. That being said anytime I move coins onto exchanges I know that I'm taking a risk irregardless of whether or not the person running the exchange is "anonymous".
Although I don't know if it's confirmed, I have seen the addresses of the attacker posted. That hasn't been confirmed by Busoni *yet*, but I would hope that information would come out soon.
Having coins on any online service is a gamble, don't gamble with more than you can afford to lose.
Someone that is anonymous is more likely to consider/implement wrong-doing than someone who isn't, I think.
There are always exceptions, of course. But I'll take the law of assumed averages for the above statement any day.
Hi Busoni,
As a response to your asking for information and ideas. I would like to suggest taking the shares and dividends route. Giving value back to your impacted customers will inevitably boost your reputation and trust in your exchange.
This will be more beneficial to Poloniex than you can imagine, and will resolve the issue in a relatively short space of time.
I would also suggest (from a programming background) hiring someone, potentially with these shares if they will accept them, to try and find holes in the security and strengthen the exchanges security. It is possible to do it yourself but sometimes when your head is stuck in the job it's difficult to notice these things. I do not have the skillset to be able to do this but there are people out there, professional security firms, who will make this extremely robust for a fee.
If you need any help communicating, or a point of contact if you are busy, myself and others have been informing people of the situation who weren't aware.
Ignore the negativity this is natural from such a situation and other "exchanges" have left a bitter taste of skepticism with people. Be the first to break this mold and you will find even more people come to the exchange.
I hope this helps
Darktrix
As a response to your asking for information and ideas. I would like to suggest taking the shares and dividends route. Giving value back to your impacted customers will inevitably boost your reputation and trust in your exchange.
This will be more beneficial to Poloniex than you can imagine, and will resolve the issue in a relatively short space of time.
I would also suggest (from a programming background) hiring someone, potentially with these shares if they will accept them, to try and find holes in the security and strengthen the exchanges security. It is possible to do it yourself but sometimes when your head is stuck in the job it's difficult to notice these things. I do not have the skillset to be able to do this but there are people out there, professional security firms, who will make this extremely robust for a fee.
If you need any help communicating, or a point of contact if you are busy, myself and others have been informing people of the situation who weren't aware.
Ignore the negativity this is natural from such a situation and other "exchanges" have left a bitter taste of skepticism with people. Be the first to break this mold and you will find even more people come to the exchange.
I hope this helps
Darktrix
More evidence (detailed and specific) of the "outside theft" (if it actually occurred) should be required before we give more BTC away, don't you think?
Fool me once, shame on you. Fool me twice...
SOMEONE COULD TELL ME IF I CAN WITHDRAW NOW OR NOT?
THANKS
THANKS
You can't withdraw, thanks for reading the original post.
SOMEONE COULD TELL ME IF I CAN WITHDRAW NOW OR NOT?
THANKS
THANKS
Love all the negativity in the forum. You guys are just great!
Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.
In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.
In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
A careful eye is far from negative. It is foolhardy to blindly trust what an anonymous person types on a computer.
Why should we automatically trust someone just because they put a few nice paragraphs together?
I want my BTC back as much as the next person but until I have 100% of it, I'm not buying it.
I think what we've seen from Mt.Gox where you have a very public figure like Mark is that you can't really trust anyone in this baby market. That being said anytime I move coins onto exchanges I know that I'm taking a risk irregardless of whether or not the person running the exchange is "anonymous".
Although I don't know if it's confirmed, I have seen the addresses of the attacker posted. That hasn't been confirmed by Busoni *yet*, but I would hope that information would come out soon.
Having coins on any online service is a gamble, don't gamble with more than you can afford to lose.
Hi Busoni,
As a response to your asking for information and ideas. I would like to suggest taking the shares and dividends route. Giving value back to your impacted customers will inevitably boost your reputation and trust in your exchange.
This will be more beneficial to Poloniex than you can imagine, and will resolve the issue in a relatively short space of time.
I would also suggest (from a programming background) hiring someone, potentially with these shares if they will accept them, to try and find holes in the security and strengthen the exchanges security. It is possible to do it yourself but sometimes when your head is stuck in the job it's difficult to notice these things. I do not have the skillset to be able to do this but there are people out there, professional security firms, who will make this extremely robust for a fee.
If you need any help communicating, or a point of contact if you are busy, myself and others have been informing people of the situation who weren't aware.
Ignore the negativity this is natural from such a situation and other "exchanges" have left a bitter taste of skepticism with people. Be the first to break this mold and you will find even more people come to the exchange.
I hope this helps
Darktrix
As a response to your asking for information and ideas. I would like to suggest taking the shares and dividends route. Giving value back to your impacted customers will inevitably boost your reputation and trust in your exchange.
This will be more beneficial to Poloniex than you can imagine, and will resolve the issue in a relatively short space of time.
I would also suggest (from a programming background) hiring someone, potentially with these shares if they will accept them, to try and find holes in the security and strengthen the exchanges security. It is possible to do it yourself but sometimes when your head is stuck in the job it's difficult to notice these things. I do not have the skillset to be able to do this but there are people out there, professional security firms, who will make this extremely robust for a fee.
If you need any help communicating, or a point of contact if you are busy, myself and others have been informing people of the situation who weren't aware.
Ignore the negativity this is natural from such a situation and other "exchanges" have left a bitter taste of skepticism with people. Be the first to break this mold and you will find even more people come to the exchange.
I hope this helps
Darktrix
Love all the negativity in the forum. You guys are just great!
Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.
In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.
In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
A careful eye is far from negative. It is foolhardy to blindly trust what an anonymous person types on a computer.
Why should we automatically trust someone just because they put a few nice paragraphs together?
I want my BTC back as much as the next person but until I have 100% of it, I'm not buying it. I'd also be happy with a YouTube video from the founder explaining the situation, and further evidence of what happened.
When will restore input of coins?
Sorry, but I'm not buying any of this.
The thing with Gox setting a precedent is that each successive Goxer learns from the last.
I want to believe them, I really do. But I said the same thing about Coinmarket https://bitcointalksearch.org/topic/m.5375246 and no one wanted to believe it could happen to their "favorite" exchange. It sounded like BS then and where is Coinmarket now? This doesn't mean that it's not possible for an exchange to get hacked. But I think we should TRUST NO ONE. Especially when they are anonymous.
Another exchange was "hacked" today. Nearly 900 BTC "lost". It just seems all too convenient.
Yes, it's more profitable on the long run to run and exchange instead of stealing customer funds. But if you can get away with stealing a little, why not? I'm not saying that is what happened here but who knows.
The thing with Gox setting a precedent is that each successive Goxer learns from the last.
I want to believe them, I really do. But I said the same thing about Coinmarket https://bitcointalksearch.org/topic/m.5375246 and no one wanted to believe it could happen to their "favorite" exchange. It sounded like BS then and where is Coinmarket now? This doesn't mean that it's not possible for an exchange to get hacked. But I think we should TRUST NO ONE. Especially when they are anonymous.
Another exchange was "hacked" today. Nearly 900 BTC "lost". It just seems all too convenient.
Yes, it's more profitable on the long run to run and exchange instead of stealing customer funds. But if you can get away with stealing a little, why not? I'm not saying that is what happened here but who knows.
Love all the negativity in the forum. You guys are just great!
Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.
In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
Busoni, in regards to your post on your site I just wanted to put my vote in for shares/dividend payments. I think this would be the route to go over increased fees.
In any case, I think Polo is one of my favorite exchanges for the alts. Shit happens, at least you took responsibility and opened up to the community as soon as this happened. I will still certainly trade there.
Why is there no notice on the Poloniex website of this? Did I miss it?
Notice was on twitter box, right side of site.
... and that's an official notice? A few words off to the side? This should be PLASTERED all over the header.
LOL, they are transparent but not that transparent it seems.
Why is there no notice on the Poloniex website of this? Did I miss it?
Notice was on twitter box, right side of site.
... and that's an official notice? A few words off to the side? This should be PLASTERED all over the header.
At least you have tried to respond in an open and transparent way, and your systems halted things early.
It's a shame it had to happen though, as this "withdrawal spam" attack is a known vulnerability of exchanges, and one you would've hoped they had already taken steps to avoid.
It's a shame it had to happen though, as this "withdrawal spam" attack is a known vulnerability of exchanges, and one you would've hoped they had already taken steps to avoid.
You are doing the right thing, and gives me more confidence on using your exchange. Sorry for the loss.
The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.
This is pathetic. Any programmers would not have allowed this to happen in the first place. It's basic programming level. If you have 2 BTC, withdraw 10 BTC, then "withdrawal rejected due to lack of funds."
This is pathetic. Any programmers would not have allowed this to happen in the first place. It's basic programming level. If you have 2 BTC, withdraw 10 BTC, then "withdrawal rejected due to lack of funds."
I think you've misunderstood. The problem wasn't that it didn't check for negative balance. If you had 2 BTC, it would not let you withdraw a single amount of 10 BTC. The problem was that the withdrawals did not have atomicity, meaning that you could withdraw 10 BTC from a balance of 2 BTC by spamming lots of withdrawals for 1 BTC in a very short space of time.
You made my point in bold above.....bad programming pure and simple. Spamming lots of withdrawals is irrelevant. The code should access one request at a time and each request to be completed before accepting another request.
Current balance - withdrawal request - request equal or less than balance = request accepted - withdrawal completed - new balance. Then repeat for each request. If there are many requests at the same time then only 1 request can be processed and others rejected.
busoni, you need to shut down Poloniex now and try to make your users whole from your own funds and debt. Do not continue trying to run an exchange. Your post mortem indicates that you do not have sufficient programming ability to handle other peoples money - no mention was even made of database transactions, which are a basic "database programming 101" topic. Your proposed fix of checking for negative balances is wrong and indicates that your code is almost certainly riddled with other exploitable bugs.
Please do the right thing and refund everyones outstanding balances, then wind up your operation.
Appreciate your input Mike, and understand why. Please do the right thing and refund everyones outstanding balances, then wind up your operation.
I think talk of databases would be lost on who it was intended for. But the way Busconi communicated the info should be the start of a template, yes?
Thanks for the honest and transparent information, and the reasonable decisions.
I'm not yet on your platform, but will try soon.
I'm not yet on your platform, but will try soon.
Jump to: