CYBER ATTACK ON POLONIEX RESULTED IN 12.3% LOSS IN BITCOIN………
Welcome to today’s Poloniex Spotlight.
Poloniex platform charges relatively average fees. It works on a tiered structure, where trading fees go down as the user’s trading volume goes up. The starting fees are 0.15% for makers and 0.25% for takers. It can go as low as 0% for makers and 0.05% for takers, which is an impressive number. The global industry average for trading fees is 0.25%, hence this puts Poloniex in the middle, depending on the user that is being charged.
Poloniex exchange is also a very secure exchange.
Poloniex has been hacked
Poloniex lost 12.3% of its bitcoin to an unknown attacker. The exchange took to Bitcoin Forum on 4th March 2014, to report it had been compromised by a previously unknown vulnerability in its coding. Poloniex owner Tristan D’Agosta, moved to calm concerned users by explaining what lead to the hack, as well as what the next steps from the company would be.
iimage source
D’Agosta also detailed the exact process by which transactions on the exchange were established to highlight the slip, and further, took full responsibility for the loss, stating that he plans to repay the company’s customers.
How it happened
The hacker found a vulnerability in the code that’s takes withdrawals.
When a withdrawal is placed, this is what happens:
• Input validation
• Your balance is checked to see if you have enough funds.
• If you do, your balance is deducted.
• The withdrawal is inserted into the database.
• The confirmation email is sent.
• After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.
The hacker then discovered that if you place numerous withdrawals all in practically the same instant, they will get treated at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.
What should have been done to prevent the hack?
The major problem here was that withdrawals should have been queued at every step of the way. This could not have happened if withdrawal requests were processed sequentially instead of simultaneously.
Additionally, assessing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance.
The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered
How they plan to reimburse the customers
Poloniex plans to record the balances and to pay back customers using exchange fees as well as personal contributions. As a result, he indicated that all exchange fees would be temporarily raised to 1.5%, up from 0.2%.
Due to its current bitcoin shortage, Poloniex indicated that all customer balances would temporarily be reduced by 12.3% “out of absolute necessity”. D’Agosta suggested that this was the only way that bitcoins could be distributed fairly among affected users.
Methodology put in place to avoid future hacking
D’Agosta did also credit his design with preventing a more massive bitcoin loss. For example, he noted that the company’s existing security features noticed the unusual withdrawal activity and froze affected accounts.
As a means to further stop attack, D’Agosta listed a number of next steps his company would follow, including updating the withdrawal daemon to check for negative balances before processing withdrawals and freezing any account with a negative balance.
For further reading check link