“Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity,” the statement continues. “Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker. Flexcoin will attempt to work with law enforcement to trace the source of the hack.”
How Did It Happen?
The hacker found a vulnerability in the code that takes withdrawals. Here’s what happens when you place a withdrawal:1. Input validation.2. Your balance is checked to see if you have enough funds.
3. If you do, your balance is deducted.4. The withdrawal is inserted into the database.5. The confirmation email is sent.6. After you confirm the withdrawal, the withdrawal daemon picks it up and processes the withdrawal.The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.What Did Poloniex Do Wrong?The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.Busoni said that he accepted the entire responsibility for the theft but also stated that since Poloniex didnt have that kind of funds at its disposal currently, hence, all Bitcoin balances with Poloniex will be uniformly deducted by 12.3 percent, albeit temporarily. This was necessitated, according to Busoni to prevent a run on the existing bitcoins,
“Please understand that this is an absolute necessity–if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren’t left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair–some people would get all of their money right away, and a few would get none right away.”Busoni said that over time, this 12.3 % deduction money will be returned to the owners from the funds raised from exchange fees, as well as donations (which he is accepting). Poloneix is also raising the exchange fees in order to recoup the stolen amount and has asked views from its users for the new exchange rate.The thread participants, however expressed their gratitude to Busoni for being forthright and truthful about the entire episode. A poster said that Poloneix had lost BTC worth $50,000 but Busoni did not confirm it.Nearly all of the Bitcoin exchanges as well as banks are facing the threat from the ‘transaction malleability’ issue and the total loss due to it will be known only in due course of time. But the amounts being stolen are claiming victims like nine pins, first Mt.Gox and now Flexicoin bites the dust due to this ‘transaction malleability’ issue. Other major as well as minor exchanges like Bitcoinica, Inputs.io and MyBitcoin have also been hacked and lost thousands of dollars.