Security weaknesses in bitcoin transaction sites Poloniex and Flexcoin were discovered by hackers, leading to a string of bitcoin thefts. The stolen bitcoins cost Poloniex users 12.3% of their bitcoins, and Flexcoin was forced to shut down its operations.
Flexcoin, who prides itself as the “world’s first bitcoin bank”, said that the hacker began their attack by creating a Flexcoin account and depositing bitcoins into it. The bitcoin bank said that the attacker exploited a flaw in the coding that allows funds to be transferred.
“By sending thousands of simultaneous requests, the attacker was able to ‘move’ coins from one user account to another until the sending account was overdrawn, before balances were updated. This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.”
The vulnerability was a flaw on Flexcoin’s end, but they do not account for the overdrawing. CTO of security firm Imperva, Amichai Shulman, says that these attacks reminded him of the struggles online banking went through 10 years ago. Shulman claims that having one vulnerability is excusable, but not monitoring operations to detect it is not.
In an email written by Tim Erlin, director of security risk strategy at security firm Tripwire, he writes:
“Without more details, it’s hard to say exactly how complex the condition was, but the fact that it required multiple active accounts and requests does make it less likely that they would have found this condition through basic testing.”
Erlin adds that the complexity of the hack isn’t what’s important. The fact remains that it was enough to put Flexcoin down and out.
The Poloniex bitcoin exchange announced on March 4th that a hack attack cost the company and its users 12.3% of their bitcoins. There is no information on whether or not the attack is related to the Flexcoin hack.
A Poloniex user by the name of ‘busoni’ claimed to be the exchange’s owner and wrote on the BitcoinTalk forum:
“The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon. The major problem here is that the auditing and security features were not explicitly looking for negative balances.”
All aspects of the site have to be constantly monitored in order to ensure a safer site. Both Poloniex and Flexcoin had to learn this lesson the hard way.
However, Poloniex was more fortunate than Flexcoin in that it detected the unusual activity and froze all transactions before the damage went too far beyond repair. For now, Poloniex has suspended all withdrawals until the issue gets resolved.
Busoni did not clarify exactly how much bitcoins added up to from the stolen 12.3%. He does plan on not charging transaction fees from users and even using some of his own money to make up for the lost coins. He added:
“If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don’t, and I can’t just pull it out of thin air.”
‘Tower of Cards’ Effect
“We see ‘financial’ organizations related to bitcoin collapsing like a tower of cards.”
He explains that the inability for institutions like Poloniex and Flexcoin to recover pails in comparison to mature financial markets. Shulman feels there are benefits to centralization, and that bitcoin should have a reliable structure as government issued currencies do.
Erlin says bitcoin has been proven to be a solid currency since people want it bad enough to steal it. As flattering as that is, if bitcoin continues to be stolen, the digital currency industry will be ruined.