Pages:
Author

Topic: BTC Stolen from Poloniex - page 39. (Read 167466 times)

sr. member
Activity: 282
Merit: 250
March 04, 2014, 03:39:50 AM
#8
Completely respect your openness and honesty. Best of luck to you.
sr. member
Activity: 490
Merit: 250
March 04, 2014, 03:39:45 AM
#7
Keep it up Busoni, will continue to support your exchange.

ps: have you checked my pm? please process deposit too, there're no pending deposit in my account but it has over 6 confirmations.
sr. member
Activity: 308
Merit: 250
verified ✔
March 04, 2014, 03:39:23 AM
#6
I'm OK with this-
newbie
Activity: 7
Merit: 0
March 04, 2014, 03:38:18 AM
#5
Address of the thief https://blockchain.info/address/1Ktq7TE3J5vZ3c99M5weqKfFcNkHQdqPrq
Total loss is around $50,000
newbie
Activity: 49
Merit: 0
March 04, 2014, 03:38:12 AM
#4
Thank you for the detailed explanation. 

This is how a breech should be handled.
legendary
Activity: 4004
Merit: 1250
Owner at AltQuick.com
March 04, 2014, 03:35:22 AM
#3
How many bitcoins is 12.3%?
hero member
Activity: 868
Merit: 1000
March 04, 2014, 03:34:38 AM
#2
at least your honest. thanks for the info and when we can trade again, CGA to the moon
sr. member
Activity: 364
Merit: 250
Owner of Poloniex
March 04, 2014, 03:31:32 AM
#1
All deposits, withdrawals, and markets are functioning normally. No further BTC will be deducted from anyone's balance.

On March 4th, 2014, about 12.3% of the BTC on Poloniex was stolen.

How Did It Happen?

The hacker found a vulnerability in the code that takes withdrawals. Here's what happens when you place a withdrawal:

1. Input validation.
2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.
4. The withdrawal is inserted into the database.
5. The confirmation email is sent.
6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.

The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.

What Did Poloniex Do Wrong?

The major problem here was that withdrawals should have been queued at every step of the way. This could not have happened if withdrawal requests were processed sequentially instead of simultaneously.

Additionally, auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.

What Did Poloniex Do Right?

The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.

What Happens Now?

I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.

The amount deducted from everyone's balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I'm afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this. Exchange fees will not be raised.

If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air.

What Will Be Done to Prevent Further Exploits?

Withdrawals and order creation have been switched to a queued method, where the first step is to add the task to a global execution queue that is processed sequentially. Each step of critical database operations is verified before proceeding, and such operations are in the process of being converted to transactions. I have hired additional developers to help with tightening up security at Poloniex, as well as created a bug bounty.

-----

In conclusion...

I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.

I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we'll need to work together.
Pages:
Jump to: