In the wake of the MtGox debacle, two more Bitcoin companies have been struck hard by hackers – forcing one of them to go out of business entirely.
First up is Flexcoin, “the Bitcoin bank”, which has closed its doors after hackers breached its systems and stole Bitcoins worth the equivalent of $600,000.
Of course, $600,000 is chicken feed compared to the half a billion dollars apparently stolen from MtGox. But still, it’s a nice day’s work for whichever criminals managed to trick Flexcoin into allowing them to withdraw the digital currency without authorisation.
Meanwhile, hackers are also said to have exploited a vulnerability in another Bitcoin exchange – Poloniex.
The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.
The major problem here is that the auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.
Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.
The total loss from Poloniex is thought to be approximately $50,000.
Will this be the last Bitcoin firm to suffer at the hands of hackers? Somehow I doubt it.
Criminals are always attracted to where the money can be found – and sites created quickly during the Bitcoin gold rush may not have the right security in place to properly protect their customers’ money.