Withdrawal vulnerabilities enabled bitcoin theft from Flexcoin and Poloniex
The flaws allowed hackers to overdraw accounts on the two websites without being detected
By Lucian Constantin | Published: 18:09, 05 March 2014
Hackers found security weaknesses that allowed them to overdraw accounts with Flexcoin and Poloniex, two websites that facilitate bitcoin transactions, and exploited them to steal bitcoins from the two services. The attacks put Flexcoin out of business and cost Poloniex's users 12.3 percent of their bitcoins.
Flexcoin, which described itself as the "world's first bitcoin bank," announced Monday that it was closing down after hackers stole 896 bitcoins worth around US$600,000 from its "hot wallet" -- a bitcoin wallet connected to the Internet. The company released more details about the hack in an update posted on its website late Tuesday.
The attacker first created a new Flexcoin account and deposited some bitcoins into it, Flexcoin said in the update. He then "successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to 'move' coins from one user account to another until the sending account was overdrawn, before balances were updated. This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins."
The company described the vulnerability as a flaw in its front-end, but did not clarify why its system didn't account for overdrawing.
"The description from Flexcoin reminds me of vulnerabilities I used to see in online banking applications 10 years ago," said Amichai Shulman, CTO of security firm Imperva, via email. "An individual vulnerability is excusable, not having monitoring in place to timely detect it is not."
"Without more details, it's hard to say exactly how complex the condition was, but the fact that it required multiple active accounts and requests does make it less likely that they would have found this condition through basic testing," said Tim Erlin, director of security risk strategy at security firm Tripwire, via email.
However, whether the vulnerability was complex or basic is not as important as the impact it had, Erlin said. "The seriousness of the flaw is evidenced by the impact: Flexcoin is out of business."
A bitcoin exchange called Poloniex also announced Tuesday that an attacker stole 12.3 percent of its funds using a technique that resulted in overdrawn accounts. However, it's not clear if the attack is related to the one against Flexcoin.
"The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time," a user named busoni, who identified himself as the owner of the Poloniex exchange, said on the BitcoinTalk forum. "This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon. The major problem here is that the auditing and security features were not explicitly looking for negative balances."
Poloniex was more fortunate than Flexcoin because it detected the unusual withdrawal activity and froze transactions before the attacker caused more damage. Withdrawals from the exchange have been suspended until the problem is sorted out.
The Poloniex owner did not specify how many bitcoins 12.3 percent of the funds represent, but he plans to evenly deduct the lost amount from all user balances and recover it in time from exchange fees, which will be raised to expedite the process.
He also said that he will cover a portion of the debt from his own money, but not all of it. "If I had the money to cover the entire debt right now, I would cover it in a heartbeat," he said. "I simply don't, and I can't just pull it out of thin air."
The Flexcoin and Poloniex incidents come after Mt. Gox said that hackers stole a large amount of bitcoins from the prominent bitcoin exchange, leading the company to declare bankruptcy last week.
Shulman is concerned about the pattern of security breaches over the past few months that resulted in thefts from bitcoin exchanges and other services.
"We see 'financial' organizations related to bitcoin collapsing like a tower of cards," he said. "Not having any ability to recover (financially) from an online attack is not something we would expect in a mature financial market. I think that what bitcoin users are learning now, the hard way, is that there are some benefits to the existing 'centralized,' regulated financial infrastructure (like supervision and insurance for example)."
Erlin believes the recent rash of bitcoin thefts is in fact evidence that Bitcoin is a valid currency system. However, "it will only remain so if the market can mature the level of protection around it," he said.
"Since there is no oversight to audit implementations of Bitcoin processes, and no organization that backs the currency, I suspect we'll see more incidents like this and some of those incidents will affect individuals, as well as businesses like Flexcoin," said Dwayne Melancon, CTO of Tripwire, via email.
According to the Bitcoin wiki site, keeping a large number of bitcoins in a hot wallet is "a fundamentally poor security practice." It's common for bitcoin exchanges to keep some funds in hot wallets in order to facilitate immediate withdrawals, but the best practice is to only do this with small amounts.
"Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing," Flexcoin said. "In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough."
"Having this be the demise of our small company, after the endless hours of work we've put in, was never our intent," the company said. "We've failed our customers, our business, and ultimately the Bitcoin community."