Third cryptocurrency exchange becomes hacking victim, loses Bitcoin

Summary:Following Mt. Gox and Flexcoin, Poloniex has admitted to losing over 10 percent of customer funds due to cyberattacks.

Yet another cryptocurrency has come forward and admitted that security and system problems have led to customer funds being pinched by hackers.

Poloniex, a Bitcoin trading post similar to Mt. Gox, has lost 12.3 percent of the Bitcoin stored in hot wallets on the website. However, in stark contrast to how Mt. Gox CEO Mark Karpeles handled his company's Bitcoin losses, the owner of Poloniex, Tristan D'Agosta -- a.k.a. Busoni -- admitted to the loss and asked users how they would like to be compensated.

In a forum post, Busoni said that a hacker took advantage of a processing flaw in the Bitcoin exchange post. When users submit a withdrawal request, the input is checked against your balance, deducted, and the new amount recorded within a database. However, it was discovered that placing several withdrawals all in practically the same instant meant each request was processed at more-or-less the same time, resulting in a negative balance but "valid insertions into the database, which then get picked up by the withdrawal daemon."

According to the Poloniex chief, auditing and security features were not explicitly looking for negative balances, and so the transactions were allowed to proceed. Busoni admitted that another "design flaw" contributed to the theft, as "this could not have happened if withdrawals requests were processed sequentially instead of simultaneously."

Trading was frozen following the discovery of unusual activity, and Busoni says he takes "full responsibility" for the missing 12.3 percent of Bitcoin -- believed to be worth roughly $50,000. 

"If I had the money to cover the entire debt right now, I would cover it in a heartbeat." Busoni admitted. "I simply don't, and I can't just pull it out of thin air."

So, to keep everyone from withdrawing their BTC in order to not be left with picking up the debt, everyone's wallet on the trading post has been "temporarily be deducted by 12.3 percent."

"Please understand that this is an absolute necessity -- if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3 percent," Busoni said. "Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair -- some people would get all of their money right away, and a few would get none right away."

The amounts deducted have been recorded, and the Poloniex chief says that funds will be raised from exchange fees -- and his own pocket -- to try and cover the debt and redistribute funds to users who have had Bitcoin deducted.

In order to prevent further exploits, Poloniex is checking for negative balances and will freeze any accounts that have taken advantage of the processing flaw. In addition, before the trading post is unfrozen, a new daemon will be created to make sure no more accounts with negative balances are running. Withdrawals will also be switched to a queued method.

Mt. Gox, once the dominate Bitcoin trading post online, closed its doors last week and filed for bankruptcy protection in Japan following years of undetected infiltration that resulted in the theft of 750,000 customer-owned Bitcoin, as well as Mt. Gox's store of roughly 100,000 coins, in total worth almost $500 million. System design flaws, hackers and poor accountancy practices have been blamed for the massive financial losses.

Flexcoin follow suit and closed after hackers stole 896 Bitcoin -- worth approximately $606,000 -- and the trading exchange did not have the funds or resources to recover. 

Topics: Security

About

Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.