Withdrawal vulnerabilities enabled bitcoin theft from Flexcoin and Poloniex

The flaws allowed hackers to overdraw accounts on the two websites without being detected

Hackers found security weaknesses that allowed them to overdraw accounts with Flexcoin and Poloniex, two websites that facilitate bitcoin transactions, and exploited them to steal bitcoins from the two services. The attacks put Flexcoin out of business and cost Poloniex's users 12.3 percent of their bitcoins.

Flexcoin, which described itself as the "world's first bitcoin bank," announced Monday that it was closing down after hackers stole 896 bitcoins worth around US$600,000 from its "hot wallet" -- a bitcoin wallet connected to the Internet. The company released more details about the hack in an update posted on its website late Tuesday.

The attacker first created a new Flexcoin account and deposited some bitcoins into it, Flexcoin said in the update. He then "successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to 'move' coins from one user account to another until the sending account was overdrawn, before balances were updated. This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins."

The company described the vulnerability as a flaw in its front-end, but did not clarify why its system didn't account for overdrawing.

"The description from Flexcoin reminds me of vulnerabilities I used to see in online banking applications 10 years ago," said Amichai Shulman, CTO of security firm Imperva, via email. "An individual vulnerability is excusable, not having monitoring in place to timely detect it is not."

"Without more details, it's hard to say exactly how complex the condition was, but the fact that it required multiple active accounts and requests does make it less likely that they would have found this condition through basic testing," said Tim Erlin, director of security risk strategy at security firm Tripwire, via email.

However, whether the vulnerability was complex or basic is not as important as the impact it had, Erlin said. "The seriousness of the flaw is evidenced by the impact: Flexcoin is out of business."

A bitcoin exchange called Poloniex also announced Tuesday that an attacker stole 12.3 percent of its funds using a technique that resulted in overdrawn accounts. However, it's not clear if the attack is related to the one against Flexcoin.

"The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time," a user named busoni, who identified himself as the owner of the Poloniex exchange, said on the BitcoinTalk forum. "This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon. The major problem here is that the auditing and security features were not explicitly looking for negative balances."

Poloniex was more fortunate than Flexcoin because it detected the unusual withdrawal activity and froze transactions before the attacker caused more damage. Withdrawals from the exchange have been suspended until the problem is sorted out.

The Poloniex owner did not specify how many bitcoins 12.3 percent of the funds represent, but he plans to evenly deduct the lost amount from all user balances and recover it in time from exchange fees, which will be raised to expedite the process.

He also said that he will cover a portion of the debt from his own money, but not all of it. "If I had the money to cover the entire debt right now, I would cover it in a heartbeat," he said. "I simply don't, and I can't just pull it out of thin air."

The Flexcoin and Poloniex incidents come after Mt. Gox said that hackers stole a large amount of bitcoins from the prominent bitcoin exchange, leading the company to declare bankruptcy last week.

Shulman is concerned about the pattern of security breaches over the past few months that resulted in thefts from bitcoin exchanges and other services.

"We see 'financial' organizations related to bitcoin collapsing like a tower of cards," he said. "Not having any ability to recover (financially) from an online attack is not something we would expect in a mature financial market. I think that what bitcoin users are learning now, the hard way, is that there are some benefits to the existing 'centralized,' regulated financial infrastructure (like supervision and insurance for example)."

Erlin believes the recent rash of bitcoin thefts is in fact evidence that Bitcoin is a valid currency system. However, "it will only remain so if the market can mature the level of protection around it," he said.

"Since there is no oversight to audit implementations of Bitcoin processes, and no organization that backs the currency, I suspect we'll see more incidents like this and some of those incidents will affect individuals, as well as businesses like Flexcoin," said Dwayne Melancon, CTO of Tripwire, via email.

According to the Bitcoin wiki site, keeping a large number of bitcoins in a hot wallet is "a fundamentally poor security practice." It's common for bitcoin exchanges to keep some funds in hot wallets in order to facilitate immediate withdrawals, but the best practice is to only do this with small amounts.

"Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing," Flexcoin said. "In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough."

"Having this be the demise of our small company, after the endless hours of work we've put in, was never our intent," the company said. "We've failed our customers, our business, and ultimately the Bitcoin community."

Join the CSO newsletter!

Error: Please check your email address.

Tags PoloniexInternet-based applications and servicese-commercesecurityTripwireFlexcoinExploits / vulnerabilitiesinternetfraudintrusionImperva

More about ImpervaTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place