Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Exchanges
Re: [OFFICIAL]Bitfinex.com first Bitcoin P2P lending platform for leverage trading
by
EABEAB
on 03/02/2014, 12:37:11 UTC
Frightening. This is truly scary.

REDDIT TITLE:
How I stole roughly 100 BTC from an exchange and how I could have stolen more!

http://www.reddit.com/r/Bitcoin/comments/1wtbiu/how_i_stole_roughly_100_btc_from_an_exchange_and/

Question,

Is BitFinex's Platform A.C.I.D. Proof ?

Basically financial software often deals with online transaction processing, which is basically what traditional, SQL-based database management systems are made for, they guarantee ACID:

    Atomicity (processed as a whole, e.g. if transaction moves money from account A to B you cannot get to a situation when only one balance is updated)
    Isolation (concurrent transaction do not interfere with each other)
    Consistency (data always satisfies constraints)
    Durability (data is stored permanently after transaction is committed)

In computer science, ACID (Atomicity, Consistency, Isolation, Durability) is a set of properties that guarantee that database transactions are processed reliably. In the context of databases, a single logical operation on the data is called a transaction. For example, a transfer of funds from one bank account to another, even involving multiple changes such as debiting one account and crediting another, is a single transaction.

    Jim Gray defined these properties of a reliable transaction system in the late 1970s and developed technologies to achieve them automatically.

    In 1983, Andreas Reuter and Theo Härder coined the acronym ACID to describe them.


SOLUTION:

OP managed to trick the exchange's database into forgetting he withdrew 100 BTC by simultaneously selling off several 0.0001 BTC units and getting one of the small transactions to clash and overwrite the large withdrawal.

So both operations read his balance of X BTC at the same time subtracted 100 BTC and 0.0001 BTC respectively. The first operation wrote back the balance of x - 100 into the database and the second operation then overwrote that balance with x - 0.0001, effectively giving OP back those 100 BTC.

One of the most basic things you need to take into account when implementing a database is record locking, to make sure only one operation can access a specific bit of data at one time and that any operation must relinquish control before another operation is allowed access, to make sure such clashes don't occur and corrupt the data.