Topic: C-Cex Has Frozen Your BTC! Not to be Trusted - page 16. (Read 34990 times)
If it's not too embarrassing, now that the hole has been closed, could you disclose some technical details about the nature of the hole and how it was exploited? It could help someone else avoid the same, or a similar, mistake.
Yes. One of our users were able to add about 310 BTC on his balance that he did not own. After that he bought all DRK he could and withdrew it. Our politic now is to work further. All new deposits/withdrawals/trades works instantly. We intend to reimburse all the BTC to customers, but it will take time.
This affected only BTC. All altcoin balances are accessible for trades and withdrawals.
This happen only by our own fault.
This affected only BTC. All altcoin balances are accessible for trades and withdrawals.
This happen only by our own fault.
Side question - answer whenever you have time....
Why not dox the MFer and let everyone get your BTC back for you?
Yes. One of our users were able to add about 310 BTC on his balance that he did not own. After that he bought all DRK he could and withdrew it. Our politic now is to work further. All new deposits/withdrawals/trades works instantly. We intend to reimburse all the BTC to customers, but it will take time.
This affected only BTC. All altcoin balances are accessible for trades and withdrawals.
This happen only by our own fault.
This affected only BTC. All altcoin balances are accessible for trades and withdrawals.
This happen only by our own fault.
Unnecessary FUD.
C-CEX pushed new code to the site yesterday which contained a flaw which allowed a single user to add fraudulent BTC (BTC which did not exist) to their account.
They then withdrew all the BTC they could (all the BTC in the exchange wallet) and used the rest of their fraudulent BTC to purchase DRK which they then promptly withdrew and dumped at Poloniex.
Upon realizing there was an accounting error, the @Support took the site down and began investigating the cause of the issue. They have since fixed the faulty piece of code and re-opened the exchange which is working perfectly fine for all new balances. All new balances can be safely deposited, traded and withdrawn, only past balances of BTC and DRK have been affected.
C-CEX knows which user is responsible, has contacted them and is waiting for a reply.
In the meantime, C-CEX is refunding/releasing frozen funds as they are audited, verified and funds are available.
C-CEX has been honest and transparent about the situation unlike other exchanges that have been hacked/exploited in the past.
Trading is still functional and people ARE trading. As the exchange earns funds from new trades, users WILL be returned their balances.
In the meantime, let's give C-CEX credit for being honest about what happened and for getting the flaw patched before the attacker was able to exploit it further.
C-CEX pushed new code to the site yesterday which contained a flaw which allowed a single user to add fraudulent BTC (BTC which did not exist) to their account.
They then withdrew all the BTC they could (all the BTC in the exchange wallet) and used the rest of their fraudulent BTC to purchase DRK which they then promptly withdrew and dumped at Poloniex.
Upon realizing there was an accounting error, the @Support took the site down and began investigating the cause of the issue. They have since fixed the faulty piece of code and re-opened the exchange which is working perfectly fine for all new balances. All new balances can be safely deposited, traded and withdrawn, only past balances of BTC and DRK have been affected.
C-CEX knows which user is responsible, has contacted them and is waiting for a reply.
In the meantime, C-CEX is refunding/releasing frozen funds as they are audited, verified and funds are available.
C-CEX has been honest and transparent about the situation unlike other exchanges that have been hacked/exploited in the past.
Trading is still functional and people ARE trading. As the exchange earns funds from new trades, users WILL be returned their balances.
In the meantime, let's give C-CEX credit for being honest about what happened and for getting the flaw patched before the attacker was able to exploit it further.
You've done nothing but cheerlead them the whole time.
I'll give them "credit" when they secure a loan or do something to immediately repay ALL their customers
Unnecessary FUD.
C-CEX pushed new code to the site yesterday which contained a flaw which allowed a single user to add fraudulent BTC (BTC which did not exist) to their account.
They then withdrew all the BTC they could (all the BTC in the exchange wallet) and used the rest of their fraudulent BTC to purchase DRK which they then promptly withdrew and dumped at Poloniex.
Upon realizing there was an accounting error, the @Support took the site down and began investigating the cause of the issue. They have since fixed the faulty piece of code and re-opened the exchange which is working perfectly fine for all new balances. All new balances can be safely deposited, traded and withdrawn, only past balances of BTC and DRK have been affected.
C-CEX knows which user is responsible, has contacted them and is waiting for a reply.
In the meantime, C-CEX is refunding/releasing frozen funds as they are audited, verified and funds are available.
C-CEX has been honest and transparent about the situation unlike other exchanges that have been hacked/exploited in the past.
Trading is still functional and people ARE trading. As the exchange earns funds from new trades, users WILL be returned their balances.
In the meantime, let's give C-CEX credit for being honest about what happened and for getting the flaw patched before the attacker was able to exploit it further.
C-CEX pushed new code to the site yesterday which contained a flaw which allowed a single user to add fraudulent BTC (BTC which did not exist) to their account.
They then withdrew all the BTC they could (all the BTC in the exchange wallet) and used the rest of their fraudulent BTC to purchase DRK which they then promptly withdrew and dumped at Poloniex.
Upon realizing there was an accounting error, the @Support took the site down and began investigating the cause of the issue. They have since fixed the faulty piece of code and re-opened the exchange which is working perfectly fine for all new balances. All new balances can be safely deposited, traded and withdrawn, only past balances of BTC and DRK have been affected.
C-CEX knows which user is responsible, has contacted them and is waiting for a reply.
In the meantime, C-CEX is refunding/releasing frozen funds as they are audited, verified and funds are available.
C-CEX has been honest and transparent about the situation unlike other exchanges that have been hacked/exploited in the past.
Trading is still functional and people ARE trading. As the exchange earns funds from new trades, users WILL be returned their balances.
In the meantime, let's give C-CEX credit for being honest about what happened and for getting the flaw patched before the attacker was able to exploit it further.
What Happened
Due to their poor security, C-Cex's exchange was exploited by a user pumping DRK, and they allegedly lost 300 BTC due to the exploit. They have now placed *all* BTC balances on hold, and are stating that they may hold these until their "investigation" is completed - which can take up to a month.
User's Profile Link
https://bitcointalksearch.org/user/c-cex-220467
This is not exactly to say they're scammers - however, it is to say that you should be extremely cautious about trusting them with your coin if they cannot secure it.
Will update when more information is available.
Update #1
User has stopped responding via Skype& has now banned me (coincidentally the only person who's left negative feedback on their profile) from the chat on the website. (This was an auto-ban, apparently...now un-banned)
Update #2
After several requests, they responded on Skype by simply posting their twitter address. When I said that this in no way answered my questions, he then, indeed, took the time to answer the questions I asked.
Update #3
The admin and his cheer leader are claiming that the "thief" is sending BTC back through a tumbler. In the meantime they are giving back assets to those who dealt in the currency used for the exploit, while those who had not involved themselves at all with said currency are still left with our dicks in our hands.
It has been suggested MANY times that the admin secure a loan using other altcoins earned via the site's transaction fees as collateral and *every time* he has ignored it and said absolutely nothing. This leads me to believe that he really has no interest in paying people back in a timely manner.
My conclusion at this point:
Site administrator is (and I'm sorry to say it) incompetent in terms of running a secure site - an absolute necessity for running an exchange.
DO NOT, under *any* circumstances, allow this guy access to your assets.
Due to their poor security, C-Cex's exchange was exploited by a user pumping DRK, and they allegedly lost 300 BTC due to the exploit. They have now placed *all* BTC balances on hold, and are stating that they may hold these until their "investigation" is completed - which can take up to a month.
User's Profile Link
https://bitcointalksearch.org/user/c-cex-220467
Will update when more information is available.
Update #1
User has stopped responding via Skype
Update #2
After several requests, they responded on Skype by simply posting their twitter address. When I said that this in no way answered my questions, he then, indeed, took the time to answer the questions I asked.
Update #3
The admin and his cheer leader are claiming that the "thief" is sending BTC back through a tumbler. In the meantime they are giving back assets to those who dealt in the currency used for the exploit, while those who had not involved themselves at all with said currency are still left with our dicks in our hands.
It has been suggested MANY times that the admin secure a loan using other altcoins earned via the site's transaction fees as collateral and *every time* he has ignored it and said absolutely nothing. This leads me to believe that he really has no interest in paying people back in a timely manner.
My conclusion at this point:
Site administrator is (and I'm sorry to say it) incompetent in terms of running a secure site - an absolute necessity for running an exchange.
DO NOT, under *any* circumstances, allow this guy access to your assets.
Jump to: