Poloniex Withdrawal Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 11:25, 8 March 2024 by Azoundria (talk | contribs) (Another 30 minutes. Revised the incident description. Added information about Poloniex founder and ultimate acquisitions. Added information about the amount lost and updated the total. Numerous revisions of the article text.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Poloniex Logo/Homepage

Early in it's history, the Poloniex platform had a vulnerability where multiple withdrawals could be requested at once, allowing an on-chain withdrawal which was larger than the balance of the account. This was exploited and used to steal 97 bitcoin from the collective hot wallet. After a period of time where all user balances on the site were reduced by 12.3%, Poloniex ultimately reimbursed users in full. Poloniex subsequently made significant changes to improve the security of their platform.

About Poloniex

Poloniex welcomed users to its fast and secure exchange platform, offering the ability to trade bitcoins for various cryptocurrencies[1]. Early versions of the platform listed a significant range of currencies, including Litecoin, Dogecoin, Namecoin, alongside lesser known chains like Counterparty, NXT, and Primecoin[1]. Poloniex aimed to cater to the needs of cryptocurrency traders of all levels[1].

Poloniex was a US-based cryptocurrency exchange[2]. With just a valid email address, traders could start trading within minutes by creating an account or signing in if already a member[2]. The platform promised best-in-class tools such as stop-limit orders to minimize trading risk, customizable SMA and two EMA lines, and candlesticks ranging from 5 minutes to 4 hours, along with fully zoomable charts covering complete market history[2].

The platform emphasized community and support, promising to resolve all support tickets promptly and with care[2]. It boasted an active chatbox community for idea-sharing and updates, with chatbox moderators on hand to address users' immediate questions and concerns[2].

Poloniex was originally founded by Tristan D'Agosta[3], who used the BitcoinTalk username busoni[4].

Homepage:[1][2]

The Reality

Unfortunately, the original version of the Poloniex platform also featured a vulnerability where a user could place multiple withdrawal requests at once, and all requests would be honoured. The balance was only checked prior to the first request. This allowed a user to create as many initial requests as they wanted. Once all requests were fulfilled, they would be left with a negative balance and more funds on the blockchain than they originally had.

What Happened

The vulnerability was exploited to withdraw 97 BTC from the Poloniex platform.

Key Event Timeline - Poloniex Withdrawal Hack
Date Event Description
March 3rd, 2014 5:05:41 AM MST First Theft Withdrawal The first withdrawal into what is believed to be the thief's wallet[5][6].
March 4th, 2014 1:31:32 AM MST BitcoinTalk Thread A new thread is posted in the BitcoinTalk forum which covers the event[4]. It's posted by busoni, who is the proclaimed "Owner of Poloniex"[4].
March 4th, 2014 9:31:09 AM MST Poll For Path Forward BitcoinTalk user DarkTrix runs a poll on what should be done to repay users[7]. Members suggest various solutions, including issuing shares, implementing SMS verification, and raising transaction fees[7]. Some propose distributing "Polopoints" as compensation or splitting losses among all users[7]. Others advocate for transparency regarding the incident and providing detailed information[7]. Despite differing opinions, there's a consensus on the urgency of resolving the situation and improving security measures[7]. Members express frustration with the exchange's handling of the situation and emphasize the importance of restoring trust among users[7].
March 4th, 2014 9:41:58 AM MST Poll For Path Forward busoni runs a poll to get the opinion of others as to what should be done to repay funds to users[8]. He also clarifies that he wouldn't feel it was fair to charge a portion of the funds from those who deposited after the breach[8].
July 2nd, 2014 8:29:00 AM MDT CoinDesk Repayment Claimed In a CoinDesk article, Poloniex claims that all customers have been fully reimbursed for their losses[9]. According to Poloniex owner Tristan D’Agosta, 97 BTC were taken and 97 BTC were repaid, with the exchange using its profits to compensate affected customers[9]. Customer feedback regarding Poloniex's reimbursement process has been largely positive[9]. In the article, Poloniex's successful reimbursement of affected customers was compared to Silk Road 2.0's repayment following a hack in February[9].
October 19th, 2017 2:11:44 AM MDT CoinSutra Top 6 List Feature The incident is included in a list of the top 6 exploits which is put together by CoinSutra[10]. According to the entry, the Poloniex hack resulted in the loss of 12.3% of all BTCs, equivalent to 97 BTC. The company disclosed the hack on the Bitcointalk forum, attributing it to the exploitation of a flawed withdrawal code. Following the incident, Poloniex temporarily halted operations and announced a 12.3% reduction in funds for all users to mitigate losses. Despite these challenges, Poloniex resumed operations and assured customers that all affected users were fully reimbursed. However, reports suggest that Poloniex faced subsequent hacking attempts in 2017, raising concerns about the platform's security measures[10].
August 31st, 2018 8:50:00 AM MDT CoinTelegraph Top 5 List CoinTelegraph lists the Poloniex exploit in an article about the top 5 hacks in the space[11].The article included high level information on the vulnerability in the exchange's software which allowed simultaneous processing of withdrawal requests, leading to losses equivalent to 12.3% of users' funds[11]. To mitigate the impact, Poloniex reduced all user balances by the same percentage, freezing the affected funds temporarily before reimbursing them from personal funds. Despite the incident, users accepted the resolution, and Poloniex continued operations under Circle, an American payment system[11]. D'Agosta publicly acknowledged the flaws in the exchange's security measures and implemented changes to prevent future breaches, including queuing withdrawals and enhancing auditing and security features[11]. Additionally, new developers were hired, and a bug bounty program was established to fortify Poloniex's security[11].

Technical Details

"The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon." “The major problem here was that withdrawals should have been queued at every step of the way. This could not have happened if withdrawal requests were processed sequentially instead of simultaneously. Additionally, auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.”

Potential Exploiter Address: 1Ktq7TE3J5vZ3c99M5weqKfFcNkHQdqPrq [5]

Total Amount Lost

Sources consistently the loss as 97 BTC[10][12][13][14][15], however a blockchain address believed to be the exploiter has received only 76.6959 BTC[5].

Kyle Gibson claims the amount lost is $1,000 USD[14].

The closing market price for bitcoin on March 3rd, 2014 was $667.76[16]. Therefore 97 bitcoin would have an expected market value of $64,772.72.

The total amount lost has been estimated at $65,000 USD.

Immediate Reactions

Poloniex admitted to the failure in a BitcoinTalk thread titled "BTC Stolen from Poloniex"[4].

Poloniex Admission Of Failure

Poloniex's owner, busoni, acknowledges the gravity of the situation and sought input from the BitcoinTalk community on how to address the stolen funds. Options such as paying back over time with exchange fees or selling shares of Poloniex are discussed[17].

“I sincerely apologize for this,” Poloniex’s owner wrote in a statement, “and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.” “the company has committed to operating at a fractional reserve until it can replenish the losses itself.”

Reactions From BitcoinTalk Community

The discussion unfolds with various forum members expressing their views and concerns regarding the incident and its implications[17]. One member, cubicdissection, defends Poloniex, emphasizing the challenges of running a business and commending the exchange's efforts to address the situation transparently. Another member, chiznitz, provides technical insights into potential security measures to prevent similar incidents in the future[17].

Throughout the thread, there is a mix of support for Poloniex, suggestions for improvement, and skepticism regarding the handling of the incident[17]. Some members express confidence in Poloniex's security measures, while others voice concerns about the security vulnerabilities and the fairness of fund reimbursement procedures[17].

Polls About Path Forward

Multiple polls were run through BitcoinTalk[7][8]. Members suggested various solutions, including issuing shares, implementing SMS verification, and raising transaction fees[7]. Some propose distributing "Polopoints" as compensation or splitting losses among all users[7]. Others advocate for transparency regarding the incident and providing detailed information[7]. Despite differing opinions, there's a consensus on the urgency of resolving the situation and improving security measures[7]. Members express frustration with the exchange's handling of the situation and emphasize the importance of restoring trust among users[7].

Controversy About Late Depositors

One repeated theme of concern were users who had deposited after the exploit, and whose funds were trapped due to the allowing of deposits and not withdrawals[18]. Busoni suggested that he planned to make an exception for those users early on[19], however there was still concern long after this clarification[18].

About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits.

Ultimate Outcome

Details of the exploit were later posted by Poloniex founder Tristan D'Agosta, who used the username Busoni on BitcoinTalk. The Poloniex platform ultimately relaunched with greater security and repaid all customers the missing amounts. The incident was included in several different hack lists, and also received special attention as one of the top 5 hacks.

Announcement By Poloniex

Poloniex owner and founder Tristan D'Agosta (with username busoni) came clean about the withdrawals and balance shortfall of all users on the platform[4].

I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone's balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity--if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren't left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair--some people would get all of their money right away, and a few would get none right away.

Updated Homepage

Tristan D'Agosta publicly acknowledged the flaws in the exchange's security measures and implemented changes to prevent future breaches, including queuing withdrawals and enhancing auditing and security features[11]. The Poloniex homepage following the incident appeared to take a more security-focused approach[2]. In terms of security, Poloniex promised to ensure the safety of customer funds by keeping the majority of them in cold storage[2]. The entire exchange reported undergoing continual audits and inspections to detect any unusual activity, with two-factor authentication available for added protection[2]. Poloniex confirmed to CoinDesk that they had implemented enhanced security measures, including automatic auditing, server security enhancements, and redesigned command processing to prevent similar attacks in the future[9].

Repayments Praised

Customer feedback regarding Poloniex's reimbursement process has been largely positive[9]. Dor Konforty, CEO of Uppbit.com, praised the company's transparency and D'Agosta's accountability, expressing confidence in the reimbursement process[9]. While some customers have confirmed receiving reimbursements, others have not responded to inquiries from CoinDesk[9]. Despite the breach, Poloniex experienced a boost in trading volume, partly attributed to the success of altcoins like Monero (XMR), which facilitated faster customer repayments[9]. D'Agosta acknowledged Monero's role in aiding the exchange's recovery, highlighting Poloniex's support for innovative cryptocurrencies[9].

Poloniex's successful reimbursement of affected customers was compared to similar efforts in the industry, such as Silk Road 2.0's repayment following a hack in February[9]. These instances demonstrate the viability of customer repayment plans and suggest a potential strategy for cryptocurrency businesses to manage setbacks effectively[9]. Overall, Poloniex's swift response, coupled with customer satisfaction and altcoin trading success, underscores the resilience and adaptability of the cryptocurrency industry in overcoming challenges[9].

Inclusion And Recognition

The incident was ultimately included in lists compiled by Bitcoin Magazine[12], Kyle Gibson[14], the Bitcoin Exchange Guide[20], and Slowmist[13][15]. It received recognition as one of the top 6 attacks by CoinSutra[10] and one of the top 5 attacks by CoinTelegraph[11], although it is unclear what it was about the Poloniex hack that warranted such mention as one of the top hacking cases. The amount lost is significantly smaller than many other cases.

Total Amount Recovered

Poloniex claims to have repaid all customers who suffered losses in this attack[9]. According to Poloniex owner Tristan D’Agosta, 97 BTC were taken and 97 BTC were repaid, with the exchange using its profits to compensate affected customers[9]. D'Agosta emphasized that the value of bitcoin remained relatively stable during this period[9].

There do not appear to have been any funds recovered in this case.

Ongoing Developments

The Poloniex platform continues to operate. CoinSutra reports that there may have been additional hacks against the Poloniex platform in 2017, however this has not been confirmed[10].

The Poloniex platform would go on to ultimately be acquired by Circle in 2018 and other investors such as Justin Sun in 2019[3].

Individual Prevention Policies

While no individuals lost funds in this case, there was an inability to access or use those funds for the duration of the incident while balances were temporarily reduced.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 Poloniex Homepage Archive March 7th, 2014 11:24:34 PM MST (Accessed Mar 4, 2024)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 Poloniex Homepage Archive October 11th, 2014 3:51:50 PM MDT (Accessed Mar 4, 2024)
  3. 3.0 3.1 Poloniex Hot Wallets Hacked With $114M Seemingly Stolen: On-Chain Data - CoinDesk (Accessed Mar 8, 2024)
  4. 4.0 4.1 4.2 4.3 4.4 BTC Stolen from Poloniex - BitcoinTalk (Mar 1, 2020)
  5. 5.0 5.1 5.2 Potential Poloniex Exploiter Address - Blockchain.com (Accessed Mar 6, 2024)
  6. First Blockchain Transaction In Thief's Wallet - Blockchain.com (Accessed Mar 6, 2024)
  7. 7.00 7.01 7.02 7.03 7.04 7.05 7.06 7.07 7.08 7.09 7.10 7.11 DarkTrix - How to Deal with Poloniex situation - BitcoinTalk (Accessed Mar 7, 2024)
  8. 8.0 8.1 8.2 busoni - "I would like to thank everyone for their support and understanding. It really means a lot. Having other people's money taken under my watch has made me feel just about as awful as I've ever felt in my life." - BitcoinTalk (Accessed Mar 7, 2024)
  9. 9.00 9.01 9.02 9.03 9.04 9.05 9.06 9.07 9.08 9.09 9.10 9.11 9.12 9.13 9.14 9.15 Poloniex Claims All Customers Repaid Following March Bitcoin Hack - CoinDesk (Accessed Mar 5, 2024)
  10. 10.0 10.1 10.2 10.3 10.4 Top 6 Biggest Bitcoin Hacks Ever - CoinSutra (Accessed Mar 2, 2020)
  11. 11.0 11.1 11.2 11.3 11.4 11.5 11.6 Crypto Exchange Hacks in Review: Proactive Steps and Expert Advice - CoinTelegraph (Mar 2, 2020)
  12. 12.0 12.1 Infographic: An Overview of Compromised Bitcoin Exchange Events - Bitcoin Magazine (Jan 30, 2020)
  13. 13.0 13.1 SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  14. 14.0 14.1 14.2 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Jan 25, 2020)
  15. 15.0 15.1 SlowMist Exchange Hacks - Page 8 Archive March 5th, 2024 4:44:02 PM MST (Accessed Mar 5, 2024)
  16. Bitcoin Historic Price Data - CoinMarketCap (Accessed Mar 8, 2024)
  17. 17.0 17.1 17.2 17.3 17.4 Re: BTC Stolen from Poloniex - BitcoinTalk (Accessed Mar 6th, 2024)
  18. 18.0 18.1 Re: BTC Stolen from Poloniex Page 14 - BitcoinTalk (Accessed Mar 6, 2023)
  19. Busoni - "About recent deposits--it really wouldn't be fair to deduct deposits made after the BTC was taken. Obviously I should have posted a notice on the Balances page, but it is not difficult to make an exception for recent deposits." - BitcoinTalk (Accessed Mar 6, 2024)
  20. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Poloniex_Withdrawal_Hack&oldid=5539"