Digital currency exchange Poloniex, which trades bitcoin and other popular digital currencies such as litecoin, namecoin and dogecoin, has lost 12.3% of its total bitcoin supply in an attack.
The exchange took to Bitcoin Forum on 4th March to report it had been compromised by a previously unknown vulnerability in its coding.
Writing under the username Busoni, Poloniex owner Tristan DâAgosta, moved to calm concerned users by explaining what lead to the hack, as well as what the next steps from the company would be.
DâAgosta explained:
âThe hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.â
DâAgosta also detailed the exact process by which transactions on the exchange were confirmed to highlight the error, and further, took full responsibility for the loss, stating that he plans to repay the companyâs customers.
According to a Twitter post from the company, the original attack occurred during the early morning hours of 4th March.
Aware that markets are frozen. Some BTC was stolen. Details coming as soon as possible.
â Poloniex Exchange (@Poloniex) March 4, 2014
Â
Due to its current bitcoin shortage, Poloniex indicated that all customer balances would temporarily be reduced by 12.3% âout of absolute necessityâ. DâAgosta suggested that this was the only way that bitcoins could be distributed fairly among affected users.
âIf I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they werenât left in that remaining 12.3%.â
Poloniex plans to record the balances and to pay back customers using exchange fees as well as personal contributions. As a result, he indicated that all exchange fees would be temporarily raised to 1.5%, up from 0.2%. Altcoin and bitcoin withdrawals have since been reinstated, going back online on 4th March after less than a dayâs delay.
â Poloniex Exchange (@Poloniex) March 4, 2014
Â
DâAgosta did also credit his design with preventing a more massive bitcoin loss. For example, he noted that the companyâs existing security features noticed the unusual withdrawal activity and froze affected accounts.
In the attack announcement, DâAgosta listed a number of next steps his company would follow, including updating the withdrawal daemon to check for negative balances before processing withdrawals and freezing any account with a negative balance.
According to its Twitter feed, updates have already been made.
Withdrawal system redesigned, now requests are processed sequentially from a global command queue.
â Poloniex Exchange (@Poloniex) March 5, 2014
Â
DâAgosta expressed his apologies for the attack and appealed to the community for continued feedback on he could improve the service. Said DâAgosta:
âI do not have the money to wave away the debt, so weâll need to work together.â
Response from the Bitcoin Talk community was largely positive, with many commenters posting messages of support for DâAgosta and his exchange.
Notably, the announcement follows a recent rush of attacks against bitcoin services, including Mt. Gox, Silk Road 2.0 â which has also embarked on a repayment plan, and Alberta-based âbitcoin bankâ Flexcoin, which shut down its services on 4th March after losing $600,000 in bitcoins.
Image credit: Cybercrime via Shutterstock