This thread is for people to make donations to cover the XCP that was taken from Poloniex during the recent saga involving a security breach in the protocol. The total missing is 6171.4626378 XCP.
Please donate what you can to this address: 15buRLRW47AY9Md3mpFj17Yp6w4BtfMRjc
I will keep you updated on the progress. If anyone would like to make a direct transfer from their Poloniex balance, please let me know.
Your account is new and I don’t see a balance. Can you verify your identity by signing a message with a well known key? (e.g. 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f)
I’m not sure what you mean by signing a message, but I linked to this thread from bitcointalk: https://bitcointalk.org/index.php?topic=395761.msg5284606#msg5284606
And I will now transfer 1.32 XCP from 15vA2MJ4ESG3Rt1PVQ79D1LFMBBNtcSz1f to the donation account.
Thanks, that will be sufficient proof.
Just wanted to make sure that the community is on the safe side. We’ve seen our share of scams already.
Curious. Is there conclusive evidence that a fault in the Counterparty protocol is directly to blame for OP’s loss? I don’t mean to disparage Polinex, but would Coinbase have gotten robbed?
[quote author=busoni link=topic=127.msg753#msg753 date=1393001683]
This thread is for people to make donations to cover the XCP that was taken from Poloniex during the recent saga involving a security breach in the protocol. The total missing is 6171.4626378 XCP.
Please donate what you can to this address: 15buRLRW47AY9Md3mpFj17Yp6w4BtfMRjc
I will keep you updated on the progress. If anyone would like to make a direct transfer from their Poloniex balance, please let me know.
[/quote]
Hi Busoni, i bought ~1000 XCP on poloniex on the 16th-17th. All of it gone now it seems:
[table][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.0138[/td][td]521.22052782[/td][td]7.19284328 BTC[/td][td]2014-02-17 06:41:52[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.0138[/td][td]0.51860261[/td][td]0.00715671 BTC[/td][td]2014-02-17 02:21:58[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.015822[/td][td]125.30630705[/td][td]1.98259639 BTC[/td][td]2014-02-16 19:09:24[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.015822[/td][td]94.69369295[/td][td]1.49824360 BTC[/td][td]2014-02-16 18:04:32[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.01899[/td][td]100[/td][td]1.899 BTC[/td][td]2014-02-16 17:41:23[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.01898[/td][td]100[/td][td]1.898 BTC[/td][td]2014-02-16 17:41:18[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.017[/td][td]9.481[/td][td]0.161177 BTC[/td][td]2014-02-16 16:26:13[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.017[/td][td]16.59352784[/td][td]0.28208997 BTC[/td][td]2014-02-16 16:26:13[/td][/tr][/table]
This is a significant amount for me… I understand you got nailed… but can you give me some update. Thanks.
[quote author=rwfresh link=topic=127.msg767#msg767 date=1393022064]
[quote author=busoni link=topic=127.msg753#msg753 date=1393001683]
This thread is for people to make donations to cover the XCP that was taken from Poloniex during the recent saga involving a security breach in the protocol. The total missing is 6171.4626378 XCP.
Please donate what you can to this address: 15buRLRW47AY9Md3mpFj17Yp6w4BtfMRjc
I will keep you updated on the progress. If anyone would like to make a direct transfer from their Poloniex balance, please let me know.
[/quote]
Hi Busoni, i bought ~1000 XCP on poloniex on the 16th-17th. All of it gone now it seems:
[table][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.0138[/td][td]521.22052782[/td][td]7.19284328 BTC[/td][td]2014-02-17 06:41:52[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.0138[/td][td]0.51860261[/td][td]0.00715671 BTC[/td][td]2014-02-17 02:21:58[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.015822[/td][td]125.30630705[/td][td]1.98259639 BTC[/td][td]2014-02-16 19:09:24[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.015822[/td][td]94.69369295[/td][td]1.49824360 BTC[/td][td]2014-02-16 18:04:32[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.01899[/td][td]100[/td][td]1.899 BTC[/td][td]2014-02-16 17:41:23[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.01898[/td][td]100[/td][td]1.898 BTC[/td][td]2014-02-16 17:41:18[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.017[/td][td]9.481[/td][td]0.161177 BTC[/td][td]2014-02-16 16:26:13[/td][/tr][tr][td]BTC/XCP[/td][td][color=#090]Buy[/color][/td][td]0.017[/td][td]16.59352784[/td][td]0.28208997 BTC[/td][td]2014-02-16 16:26:13[/td][/tr][/table]
This is a significant amount for me… I understand you got nailed… but can you give me some update. Thanks.
[/quote]
You mean you dont see now balance there? Its because XCP have removed from Polo for while. I think you see your wallet address and balance when its back in echange.
[quote author=Polo link=topic=127.msg766#msg766 date=1393018823]
Curious. Is there conclusive evidence that a fault in the Counterparty protocol is directly to blame for OP’s loss? I don’t mean to disparage Polinex, but would Coinbase have gotten robbed?
[/quote]
It depends on what you mean by “directly.” There are security features now in place on Poloniex that would have prevented any loss. However, this occurred because of a verified (and now corrected) major flaw in the Counterparty protocol. It allowed the attacker to send XCP from any address he wanted. If a flaw like this happened with Bitcoin, exchanges would get robbed. There is a way to detect the problem if it occurs all on one exchange–Poloniex now detects this–but if, say, the flaw was used to steal BTC from Coinbase, then those BTC could be traded on Cryptsy for another currency and withdrawn. It would appear completely legitimate to Cryptsy. Then, if transactions were rolled back as they were for XCP, Cryptsy would end up getting screwed.
Poloniex could have detected this. To be honest, I never expected that something so catastrophic was possible with crypto, so it never occurred to me to check for it. Checks are in place now, though, as well as other security measures.
It may be worth noting that the attacker’s method would have worked just as well to steal BTC from traders on the DEX.
Can you please expand upon this statement:
[quote]It allowed the attacker to send XCP from any address he wanted[/quote]
Are you saying I could’ve spent anyone else’s XCP without their permission prior to the hack of Poloniex?
[quote]It may be worth noting that the attacker’s method would have worked just as well to steal BTC from traders on the DEX.[/quote]
Wait, I thought the problem was spending someone else’s XCP. Care to expand on this one as well? Genuinely curious to know the details.
In terms of consequences, this bug is similar to the integer overflow bug back in 2010 (see http://bitcoinmagazine.com/3668/bitcoin-network-shaken-by-blockchain-fork/ for an overview of that as well as the fork). If those coins made it on an exchange, yes they would be valid, and yes there would be nothing that could be done except manually deal with it (as we are doing right now). Then again bitcoin was far smaller back then…
[quote author=jimhsu link=topic=127.msg775#msg775 date=1393038195]
In terms of consequences, this bug is similar to the integer overflow bug back in 2010 (see http://bitcoinmagazine.com/3668/bitcoin-network-shaken-by-blockchain-fork/ for an overview of that as well as the fork). If those coins made it on an exchange, yes they would be valid, and yes there would be nothing that could be done except manually deal with it (as we are doing right now). Then again bitcoin was far smaller back then…
[/quote]
Thank you for reminding us of a bit of bitcoin history there jimhsu. I forgot about that little excitement 4 years back!
And no I wasn’t around then (else I’d be on an island or something now). But I do enjoy my history…
Understood. It would’ve possible for someone to purposefully exploit the integer overflow bug and send nonexistent XCP to an exchange, which could then be sold for BTC. Something like that?
In this case, I’m not sure what the bug in Counterparty has to do with the premise of this thread:
[quote]This thread is for people to make donations to cover the XCP that was taken from Poloniex during the recent saga involving a security breach in the protocol.[/quote]
How was the XCP stolen here? Wouldn’t an attacker need control of Poloni’s systems to carry out the integer overflow fake-send?
[quote author=Polo link=topic=127.msg778#msg778 date=1393039989]
Understood. It would’ve possible for someone to purposefully exploit the integer overflow bug and send nonexistent XCP to an exchange, which could then be sold for BTC. Something like that?
In this case, I’m not sure what the bug in Counterparty has to do with the premise of this thread:
[quote]This thread is for people to make donations to cover the XCP that was taken from Poloniex during the recent saga involving a security breach in the protocol.[/quote]
How was the XCP stolen here? Wouldn’t an attacker need control of Poloni’s systems to carry out the integer overflow fake-send?
[/quote]
Yes, In this case, a malformed transaction (which is reversible) was dumped from Poloniex, into Poloniex, and exchanged for BTC, which we all know is irreversible. The result is that the BTC was withdrawn, and some people also withdrew the XCP that they “bought” during the fake dump (which are normal transactions, and thus also irreversible). The fact that the attacker did NOT need the private key for Poloniex made this a genuine exploit (instead of a hack). Devs have since then implemented all sorts of much stricter validation.
From a security standpoint, the exploit was quite clever, but obvious in hindsight (as all security bugs are).
My understanding is that busoni’s for-profit Bitcoin exchange was hacked. It was busoni’s own doing to list XCP on his for-profit exchange. There was never any guarantee to busoni that he would profit from listing XCP or that he would not be subject to hacking attempts.
The XCP devs clearly advertised their software as “alpha”, and made no promises to busoni.
If you’re going to be in the for-profit Bitcoin exchange business, you’re going to have to chalk some things up to the cost of doing business. Coinbase was recently screwed out of 100 BTC by a clever hack. That sort of thing can’t phase you if you’re serious about operating a for-profit Bitcoin exchange. If Coinbase had listed XCP for sale, they certainly wouldn’t be asking for handouts.
The Counterparty devs had no way to amass XCP early on like Satoshi amassed BTC. The Counterparty devs don’t deserve to have to pay for the mistakes of a for-profit Bitcoin exchange operator whose operations turned sour, regardless of whether or not their open source protocol had anything to do with it. Neither do any other XCP investors owe busoni anything, as they also had nothing to do with busoni’s for-profit business decision.
busoni accepting donations is the best way of handling this. Taxing people, touching balances or affecting the ledger would result in catastrophic loss of trust in the protocol.
[quote author=jimhsu link=topic=127.msg782#msg782 date=1393048581]
[quote author=Polo link=topic=127.msg778#msg778 date=1393039989]
Understood. It would’ve possible for someone to purposefully exploit the integer overflow bug and send nonexistent XCP to an exchange, which could then be sold for BTC. Something like that?
In this case, I’m not sure what the bug in Counterparty has to do with the premise of this thread:
[quote]This thread is for people to make donations to cover the XCP that was taken from Poloniex during the recent saga involving a security breach in the protocol.[/quote]
How was the XCP stolen here? Wouldn’t an attacker need control of Poloni’s systems to carry out the integer overflow fake-send?
[/quote]
Yes, In this case, a malformed transaction (which is reversible) was dumped from Poloniex, into Poloniex, and exchanged for BTC, which we all know is irreversible. The result is that the BTC was withdrawn, and some people also withdrew the XCP that they “bought” during the fake dump (which are normal transactions, and thus also irreversible). The fact that the attacker did NOT need the private key for Poloniex made this a genuine exploit (instead of a hack). Devs have since then implemented all sorts of much stricter validation.
From a security standpoint, the exploit was quite clever, but obvious in hindsight (as all security bugs are).
[/quote]
[size=2]In my case I didn’t do any trading. [font=Verdana]Five days ago I bought some XCP and left it there.[/font][/size]
Today XCP is not listed at Poloniex (I don’t know since when is that).
In my balance I don’t see any XCP (probably because XCP is not listed).
So I can’t tell whether it is gone or just invisible.
Judging by your comment it seems if I didn’t bid it, it still should be there (unless P somehow lost data), correct?
[quote author=something link=topic=127.msg788#msg788 date=1393063847]
[quote author=jimhsu link=topic=127.msg782#msg782 date=1393048581]
[quote author=Polo link=topic=127.msg778#msg778 date=1393039989]
Understood. It would’ve possible for someone to purposefully exploit the integer overflow bug and send nonexistent XCP to an exchange, which could then be sold for BTC. Something like that?
In this case, I’m not sure what the bug in Counterparty has to do with the premise of this thread:
[quote]This thread is for people to make donations to cover the XCP that was taken from Poloniex during the recent saga involving a security breach in the protocol.[/quote]
How was the XCP stolen here? Wouldn’t an attacker need control of Poloni’s systems to carry out the integer overflow fake-send?
[/quote]
Yes, In this case, a malformed transaction (which is reversible) was dumped from Poloniex, into Poloniex, and exchanged for BTC, which we all know is irreversible. The result is that the BTC was withdrawn, and some people also withdrew the XCP that they “bought” during the fake dump (which are normal transactions, and thus also irreversible). The fact that the attacker did NOT need the private key for Poloniex made this a genuine exploit (instead of a hack). Devs have since then implemented all sorts of much stricter validation.
From a security standpoint, the exploit was quite clever, but obvious in hindsight (as all security bugs are).
[/quote]
[size=1em]In my case I didn’t do any trading. [font=verdana]Five days ago I bought some XCP and left it there.[/font][/size]
Today XCP is not listed at Poloniex (I don’t know since when is that).
In my balance I don’t see any XCP (probably because XCP is not listed).
So I can’t tell whether it is gone or just invisible.
Judging by your comment it seems if I didn’t bid it, it still should be there (unless P somehow lost data), correct?
[/quote]
Hello everyone. I’m in a similar situation at the above. I bought on Poloniex and just left it there. I also never sold anything at all. Iv’e been away and just tuned back into all this now and trying to figure out what happened… :’(
[quote author=Polo link=topic=127.msg786#msg786 date=1393059532]
My understanding is that busoni’s for-profit Bitcoin exchange was hacked. It was busoni’s own doing to list XCP on his for-profit exchange. There was never any guarantee to busoni that he would profit from listing XCP or that he would not be subject to hacking attempts.
The XCP devs clearly advertised their software as “alpha”, and made no promises to busoni.
If you’re going to be in the for-profit Bitcoin exchange business, you’re going to have to chalk some things up to the cost of doing business. Coinbase was recently screwed out of 100 BTC by a clever hack. That sort of thing can’t phase you if you’re serious about operating a for-profit Bitcoin exchange. If Coinbase had listed XCP for sale, they certainly wouldn’t be asking for handouts.
The Counterparty devs had no way to amass XCP early on like Satoshi amassed BTC. The Counterparty devs don’t deserve to have to pay for the mistakes of a for-profit Bitcoin exchange operator whose operations turned sour, regardless of whether or not their open source protocol had anything to do with it. Neither do any other XCP investors owe busoni anything, as they also had nothing to do with busoni’s for-profit business decision.
busoni accepting donations is the best way of handling this. Taxing people, touching balances or affecting the ledger would result in catastrophic loss of trust in the protocol.
[/quote]
I am not sure I understand all the focus on profit. If it were not for profit, would I somehow be absolved of responsibility? Would any flaws in my exchange become the shared responsibility of all users?
Poloniex was not hacked. It is true that there could have been extra security measures in place that would have prevented any loss from this attack, but when you say Poloniex was hacked, you’re saying someone broke in and gained unauthorized access to the system. This did not happen. Perhaps it is worth noting that the same exploit could have been used in the same way to steal BTC from people using the DEX. Was the DEX hacked?
I’m not going to get into whose fault it is or who is to blame. It doesn’t matter. What matters is how we proceed from here. I am happy to do what I can to get users’ money back, but people have to understand that even though I have the audacity to make a profit, I am not rich. I cannot pay back the lost BTC out of my pocket.
Some other things to note:
1. As PhantomPhreak said, Counterparty is alpha-quality software, and things may go wrong with it that cause you to lose money. Please understand that this can happen even on a centralized exchange like Poloniex.
2. Your money is safer in your wallet than it is on any exchange. As in most, if not all, terms and conditions of exchanges, there is a clause in the terms for Poloniex that absolves Poloniex of financial responsibility in the event that money is lost due to malicious actions of a third party. This does not mean that I will not do everything I can to pay people back, even out of my own pocket. It does not mean that I will not take responsibility. It does mean, however, that your money is not guaranteed against theft like it is at a bank.
At this point, I can do what is in my power to pay back the debt, and I can bolster security at Poloniex. Much has been done with the latter already, and much will continue to be done. The former will have to happen more gradually. It seems I have a sizable bounty coming to me for being the first exchange/punching bag to list XCP–this will go toward paying the debt.
I do appreciate how supportive people have been, and I still welcome suggestions about how to proceed. The BTC/XCP market will be resumed later today, once the block chain has finished syncing.
Yea, it was really unfortunate what happened here. In the scheme of things, not much money was lost. Bitstamp does 3X that much in USD volume on a slow day.
I really like the idea of doing an IPO for Poloniex on Counterparty. I think the funds raised could cover part of the loss very nicely and may result in a more secure and enjoyable Poloniex exchange.
Hello busoni,
It’s nice to hear that you are trying to go forward and to solve this issue. Of course responsabilites are shared but you are the one that carries most of the burden and the price you are paying is disproportionate compared to your fault.
I was thinking about an IPO of fee shares of Poloniex upcomming profits. That way you could gather the funds much more quickly than via a donation and it could help you to restore the balances. In exchange you could have to yield a part of the site profit, but I’m sure early investors would accept a small revenue because you have proven that you are trustworthy. You could issue fee shares for only 10% of profits, that way you don’t have to yield too much of your future profit you will get out of trouble more quickly.
Personally, I was thinking of donating a small amount but I would spend 50 to 100 this amount if I have something in return.
This IPO could be done on Counterparty (but I’m not sure it won’t add to the mess by selling fee shares in XCP) or on a more conservative way on Havelock or Cryptostocks.
Anyway, it’s up to you and if you prefer to handle the things 100% on your side, that’s fine too.