Poloniex, the biggest altcoin exchange with daily volume in tens of thousands, if not hundreds of thousands btc, is insecure according to an anonymous “really light testing” security review.
Xavier59, whose StackExchange profile states “[a]pparently, this user prefers to keep an air of mystery about them,” publicly released three vulnerabilities after claiming Poloniex failed to reply to his emails informing them of security bugs more than a month ago.
The vulnerabilities, according to Xavier59, indicate incompetence and potential risks. The most prominent seems to be using Get (which is mainly employed for public information) instead of Post (mainly used for private info) for cryptocurrency transactions. Xavier59 states:
“It is a terrible bad practice that any person involved in security would scream while discovering it.”
Poloniex apparently does not use what type of data the code is feeding – that is numbers, letters, etc – which “could cause unexpected behavior” and “is representative of bad security policy.” Moreover, the source code is visible to an attacker, making it is easier to find vulnerabilities, according to Xavier59, which would allow an attacker to gain moderator privileges in the infamous troll box thus sharing potentially malware infested links from a position of apparent authority.
We have reached out to Poloniex, but they have not responded in time for publishing. Emin Gün Sirer, Cornell professor, publicly stated in sharing the security review that “Poloniex has some major red flags.” He further publicly stated that although it is not an immediate vulnerability or cause for panic, it is a wakeup call and “some 1995-level security practice.” In further elaborating, Sirer stated to CCN that he does not know the author of the security review and has not had the time to verify the claims himself, before adding:
“If true, these indicate that the level of implementation is far from best practices, closer to mid-90’s web programming than current day state of the art. Coupled with an earlier concurrency issue about a year and a half ago where Poloniex lost money due to a basic concurrent programming error, I have grave doubts about the robustness of their implementation.
“Running an exchange in this space, with these valuable bearer instruments, is a difficult task. I’d be wary of any company that commits elementary mistakes, because the attackers are both sophisticated and very motivated, given the money at stake.”
Tristan D’Agosta, founder of Poloniex, is apparently a music graduate, with no listed experience in coding until he created Poloniex. Instead, his work background appears to be fully in “sheet music” and “freelance fiction.”
The exchange was hacked back in 2014 by someone effectively clicking twice on the withdraw button. Xavier59 states:
“Poloniex is using PHP + nginx for their server. Nginx is multithreaded it means it can perform many request at the same time, if the 2 withdrawals request are being performed in 2 different threads at the same time both of them will be validated because the first thread didn’t update the number of bitcoins from one user in the database for the withdraw that the second thread already picked the number of bitcoins available from it.”
He further added that “Poloniex seems as weak as it was 2 years ago and did not increase its security using bad coding practices.”
It is somewhat puzzling that anyone is using a centralized altcoin exchange when there is little, if anything, preventing the establishment of a decentralized exchange. For fiat pairs bank accounts make it as good as impossible, but for altcoin to altcoin, it is all just code moving around without any central party and needing no permission, therefore, from a technical standpoint, it should be very much feasible.
However, although such decentralized exchanges have now been a topic of debate for almost three years, none seem to have taken any market share. The reasons are not clear, but it may be that developers lack any financial incentives to provide such framework when it requires much time and effort yet gives them as good as no monetary reward.
It is a quintessential commons problem. Although a decentralized altcoin exchange would benefit everyone, no individual would benefit from the time and effort necessary to create it. Highlighting what has now become obvious in this field and very much necessary – a self-governing non-profit organization to fund commons projects as well as review ICO token sales, best practices, lay down guidelines, and take on a semi governing, but very much voluntary, semi-supervisory role.
Images from Shutterstock.