Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Withdrawal vulnerabilities enabled bitcoin theft from Flexcoin and Poloniex

Lucian Constantin | March 6, 2014
The flaws allowed hackers to overdraw accounts on the two websites without being detected.

Poloniex was more fortunate than Flexcoin because it detected the unusual withdrawal activity and froze transactions before the attacker caused more damage. Withdrawals from the exchange have been suspended until the problem is sorted out.

The Poloniex owner did not specify how many bitcoins 12.3 percent of the funds represent, but he plans to evenly deduct the lost amount from all user balances and recover it in time from exchange fees, which will be raised to expedite the process.

He also said that he will cover a portion of the debt from his own money, but not all of it. "If I had the money to cover the entire debt right now, I would cover it in a heartbeat," he said. "I simply don't, and I can't just pull it out of thin air."

The Flexcoin and Poloniex incidents come after Mt. Gox said that hackers stole a large amount of bitcoins from the prominent bitcoin exchange, leading the company to declare bankruptcy last week.

Shulman is concerned about the pattern of security breaches over the past few months that resulted in thefts from bitcoin exchanges and other services.

"We see 'financial' organizations related to bitcoin collapsing like a tower of cards," he said. "Not having any ability to recover (financially) from an online attack is not something we would expect in a mature financial market. I think that what bitcoin users are learning now, the hard way, is that there are some benefits to the existing 'centralized,' regulated financial infrastructure (like supervision and insurance for example)."

Erlin believes the recent rash of bitcoin thefts is in fact evidence that Bitcoin is a valid currency system. However, "it will only remain so if the market can mature the level of protection around it," he said.

"Since there is no oversight to audit implementations of Bitcoin processes, and no organization that backs the currency, I suspect we'll see more incidents like this and some of those incidents will affect individuals, as well as businesses like Flexcoin," said Dwayne Melancon, CTO of Tripwire, via email.

According to the Bitcoin wiki site, keeping a large number of bitcoins in a hot wallet is "a fundamentally poor security practice." It's common for bitcoin exchanges to keep some funds in hot wallets in order to facilitate immediate withdrawals, but the best practice is to only do this with small amounts.

"Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing," Flexcoin said. "In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough."

"Having this be the demise of our small company, after the endless hours of work we've put in, was never our intent," the company said. "We've failed our customers, our business, and ultimately the Bitcoin community."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.