Pages:
Author

Topic: BTC Stolen from Poloniex - page 32. (Read 167466 times)

newbie
Activity: 25
Merit: 0
March 04, 2014, 08:34:07 AM
legendary
Activity: 1372
Merit: 1022
Anarchy is not chaos.
March 04, 2014, 08:13:40 AM
legendary
Activity: 1100
Merit: 1032
March 04, 2014, 08:09:57 AM
Yeah, share all the risk but none the profits of that business.   Roll Eyes Sounds wonderful. LOL

Indeed. That's why offering shares with dividends should be the best solution.

Otherwise users only get the risks.
sr. member
Activity: 742
Merit: 250
March 04, 2014, 08:07:33 AM
Oh gosh. You may make some shares for 30-40% of fees to investors to cover this as cryptsy did.
member
Activity: 63
Merit: 10
March 04, 2014, 08:07:13 AM
Maths not your strong point, eh?

24-hour AUR volume = ~341.59 BTC. Fees are 0.2% (buy and sell)

A lot of money for sure...but not $50k! Huh

It's all good, Poloniex probably made $50k in the AUR exchange yesterday alone! 

Whichever the case, it's a great site.  Just another reason I never leave coins on exchanges overnight.
newbie
Activity: 25
Merit: 0
March 04, 2014, 08:02:21 AM
sr. member
Activity: 350
Merit: 250
March 04, 2014, 07:59:17 AM
It's all good, Poloniex probably made $50k in the AUR exchange yesterday alone! 

Whichever the case, it's a great site.  Just another reason I never leave coins on exchanges overnight.
legendary
Activity: 1372
Merit: 1022
Anarchy is not chaos.
March 04, 2014, 07:53:59 AM
newbie
Activity: 25
Merit: 0
March 04, 2014, 07:47:54 AM
sr. member
Activity: 406
Merit: 250
March 04, 2014, 07:45:48 AM
Yeah, share all the risk but none the profits of that business.   Roll Eyes Sounds wonderful. LOL
legendary
Activity: 2534
Merit: 1129
March 04, 2014, 07:44:10 AM
Thanks for the details in this thread...  (I have 1.2 BTC in my account at Poloniex).

My opinion FWIW...I would suggest a haircut or an increase in fees, but not both. Best to deduct 12.% from BTC and get it done. Keep a permanent record of those who lost , and if you feel rich in future then you can pay something back: don't put it on the table now.

newbie
Activity: 25
Merit: 0
March 04, 2014, 07:37:40 AM
Well this is a shitty thing to wake up to.

throw up a donations address

@Warren interesting idea about the insurance fund... make it like bitfinex but actually work!

How about those who have lost some bitcoin and are waiting to have it recovered and returned get to mine for free untill the balance is restored, each trade would chip a little off the owed balance. That would go be an honourable damage limitation exercise, those who are not effected by the hack or had no BTC at the time, they continue trading and the fee's they pay will go towards keeping the exchanges head above water. Its less money for the exchange in the short term but its meeting somewhere in the middle of taking deposits and addressing the imbalance of stolen BTC.

We should all share the risk of a new adventure and not put too many straws on the camels back else it might break.
hero member
Activity: 728
Merit: 500
March 04, 2014, 07:36:59 AM
(copy from my post on Reddit)

I understand that the updates to users' balances in the database are not of the atomic-test-and-set kind.
The workaround that the site owner says will implement is still allowing for parallel operations, although now the operations will test the balance first.
IMO that is not good enough. You need atomic test-and-set, point. Without it you'll have other race conditions and it is just a matter of time until next vulnerability is found no matter how good you think you have mitigated the problem today.
newbie
Activity: 4
Merit: 0
March 04, 2014, 07:34:55 AM
Make these debt instruments trade able, issue them with an annual coupon of 30%, and the market would bid them up to likely 15% or 10%. 

Victims here would turn into investors, who would likely see an instant PROFIT.

This would also give you a means to issue more debt, after you know your cost of capital (that the market is willing to lend to you at) and allow you to invest in security/marketing/etc.

(To understand how this is likely the guaranteed outcome, one would need to understand how bonds move inverse to interest rates.)
newbie
Activity: 13
Merit: 0
March 04, 2014, 07:32:05 AM
So this flaw looks like it was a relative easy one. How can you secure peoples money in the future? Are there more vulnerable parts in your programming that allows another theft? You probably are too short of money now to pay professionals to fix your issue. How can you assure security in the future?
Will people REALLY trust your code now, that it was proven to be extremely weak?
member
Activity: 105
Merit: 11
March 04, 2014, 07:29:23 AM
my few c

1. select for update to lock selects, then update the btc value, in a transaction.

There are many others like hashing and triggers to validate data, and to ensure sql injection if happens can be discovered easily.

Update set new value=old value - difference is more efficient and locks the row with resorting to the lock you mention.  Add a check constraint on table.

Without a select lock validation can't occur properly in the business logic checking they have enough available.  Agree you mentioned the constraint, but select lock is a good practice in many instances in validation (btc transfers between accounts wouldn't work with your method), not just this one.

Depending on which DB you are using, the efficiency is the same, as the row is locked for an update anyway.  And only 1 user will generally be accessing their BTC values at any one time.
legendary
Activity: 1610
Merit: 1000
Crackpot Idealist
March 04, 2014, 07:25:17 AM
Well this is a shitty thing to wake up to.

throw up a donations address

@Warren interesting idea about the insurance fund... make it like bitfinex but actually work!
newbie
Activity: 25
Merit: 0
March 04, 2014, 07:24:41 AM
If coinmarket is suffering from similar issues but is really bad at PR then its all good lads, both markets have shown promise and i would, despite my previous rants like to see both move forwards better and stronger.

In the meantime perhaps the group known as annonymous would consider digging out those trying to destroy the credibility of the coin exchanges and have a quiet word in their shell like and maybe empty thier wallets to enable those without food on the table to get by a bit better where therse are no opportunities such as we have here.

If annonymous is truly the internet version of the A team and you can find them and hire them i would really like to see a plan come together, I am just a little man and this shit is way above my head.

+1 to Poloniex for biting the bullet and being straight up with us

I don't see how they are being straight up. Where are our deposits.

You mean you attempted to send coins to a paused trading engine without realising the site was down bud ? In the first description of the problem there was a suggestion that pending transactions would be reset for the resumption of trading.

If you had stuff on deposit then you will have to wait because the engine was shut down to an exploit, its inconvinient but I am not doubting the sincerity of the people running the two exchanges, I hope they just don't say fuckit and throw the towel in as it would be a mutual loss.
sr. member
Activity: 406
Merit: 250
March 04, 2014, 07:21:01 AM
Craziness, why use these badly coded exchanges that rip people off.  The right thing to do would be returning the 12.3% that was taken from everyone.  People.. you just took a 12% haircut for their mistake.  I don't care what anyone says but taking peoples money is wrong.

Wake up!  use a Registered exchange that is transparent and will always do the right thing.  


Use Atomic-Trade.
member
Activity: 115
Merit: 10
March 04, 2014, 07:20:50 AM
If coinmarket is suffering from similar issues but is really bad at PR then its all good lads, both markets have shown promise and i would, despite my previous rants like to see both move forwards better and stronger.

In the meantime perhaps the group known as annonymous would consider digging out those trying to destroy the credibility of the coin exchanges and have a quiet word in their shell like and maybe empty thier wallets to enable those without food on the table to get by a bit better where therse are no opportunities such as we have here.

If annonymous is truly the internet version of the A team and you can find them and hire them i would really like to see a plan come together, I am just a little man and this shit is way above my head.

+1 to Poloniex for biting the bullet and being straight up with us

I don't see how they are being straight up. Where are our deposits.
Pages:
Jump to: