Withdrawal vulnerabilities enabled bitcoin theft from Flexcoin and Poloniex

The flaws allowed hackers to overdraw accounts on the two websites without being detected

Hackers found security weaknesses that allowed them to overdraw accounts with Flexcoin and Poloniex, two websites that facilitate bitcoin transactions, and exploited them to steal bitcoins from the two services. The attacks put Flexcoin out of business and cost Poloniex's users 12.3 percent of their bitcoins.

Flexcoin, which described itself as the "world's first bitcoin bank," announced Monday that it was closing down after hackers stole 896 bitcoins worth around US$600,000 from its "hot wallet" -- a bitcoin wallet connected to the Internet. The company released more details about the hack in an update posted on its website late Tuesday.

The attacker first created a new Flexcoin account and deposited some bitcoins into it, Flexcoin said in the update. He then "successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to 'move' coins from one user account to another until the sending account was overdrawn, before balances were updated. This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins."

The company described the vulnerability as a flaw in its front-end, but did not clarify why its system didn't account for overdrawing.

"The description from Flexcoin reminds me of vulnerabilities I used to see in online banking applications 10 years ago," said Amichai Shulman, CTO of security firm Imperva, via email. "An individual vulnerability is excusable, not having monitoring in place to timely detect it is not."

"Without more details, it's hard to say exactly how complex the condition was, but the fact that it required multiple active accounts and requests does make it less likely that they would have found this condition through basic testing," said Tim Erlin, director of security risk strategy at security firm Tripwire, via email.

However, whether the vulnerability was complex or basic is not as important as the impact it had, Erlin said. "The seriousness of the flaw is evidenced by the impact: Flexcoin is out of business."

A bitcoin exchange called Poloniex also announced Tuesday that an attacker stole 12.3 percent of its funds using a technique that resulted in overdrawn accounts. However, it's not clear if the attack is related to the one against Flexcoin.

"The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time," a user named busoni, who identified himself as the owner of the Poloniex exchange, said on the BitcoinTalk forum. "This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon. The major problem here is that the auditing and security features were not explicitly looking for negative balances."

Poloniex was more fortunate than Flexcoin because it detected the unusual withdrawal activity and froze transactions before the attacker caused more damage. Withdrawals from the exchange have been suspended until the problem is sorted out.

The Poloniex owner did not specify how many bitcoins 12.3 percent of the funds represent, but he plans to evenly deduct the lost amount from all user balances and recover it in time from exchange fees, which will be raised to expedite the process.

He also said that he will cover a portion of the debt from his own money, but not all of it. "If I had the money to cover the entire debt right now, I would cover it in a heartbeat," he said. "I simply don't, and I can't just pull it out of thin air."

The Flexcoin and Poloniex incidents come after Mt. Gox said that hackers stole a large amount of bitcoins from the prominent bitcoin exchange, leading the company to declare bankruptcy last week.

Shulman is concerned about the pattern of security breaches over the past few months that resulted in thefts from bitcoin exchanges and other services.

"We see 'financial' organizations related to bitcoin collapsing like a tower of cards," he said. "Not having any ability to recover (financially) from an online attack is not something we would expect in a mature financial market. I think that what bitcoin users are learning now, the hard way, is that there are some benefits to the existing 'centralized,' regulated financial infrastructure (like supervision and insurance for example)."

Erlin believes the recent rash of bitcoin thefts is in fact evidence that Bitcoin is a valid currency system. However, "it will only remain so if the market can mature the level of protection around it," he said.

"Since there is no oversight to audit implementations of Bitcoin processes, and no organization that backs the currency, I suspect we'll see more incidents like this and some of those incidents will affect individuals, as well as businesses like Flexcoin," said Dwayne Melancon, CTO of Tripwire, via email.

According to the Bitcoin wiki site, keeping a large number of bitcoins in a hot wallet is "a fundamentally poor security practice." It's common for bitcoin exchanges to keep some funds in hot wallets in order to facilitate immediate withdrawals, but the best practice is to only do this with small amounts.

"Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing," Flexcoin said. "In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough."

"Having this be the demise of our small company, after the endless hours of work we've put in, was never our intent," the company said. "We've failed our customers, our business, and ultimately the Bitcoin community."

Join the PC World newsletter!

Error: Please check your email address.

Tags PoloniexInternet-based applications and servicese-commercesecurityTripwireFlexcoinExploits / vulnerabilitiesinternetfraudintrusionImperva

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?