$662 000 USD

MARCH 2014

UNITED STATES

POLONIEX

DESCRIPTION OF EVENTS

"The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon." “The major problem here was that withdrawals should have been queued at every step of the way. This could not have happened if withdrawal requests were processed sequentially instead of simultaneously. Additionally, auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.” “I sincerely apologize for this,” Poloniex’s owner wrote in a statement, “and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.” “the company has committed to operating at a fractional reserve until it can replenish the losses itself.”

Hot wallets are almost always hackable, whether for a silly error like this one or for more complicated exploits. Poloniex is interesting in that it presently claims insurance on the front of the website, and expressly denies having insurance in the terms of service. They’re also apparently based in the United States and working with regulators, yet unable to serve any residents of the United States. Hopefully they have real hot wallet insurance which can be used in the event of any future hacks.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.