Re: [OFFICIAL]Bitfinex.com first Bitcoin P2P lending platform for leverage trading
Frightening. This is truly scary.
REDDIT TITLE:
How I stole roughly 100 BTC from an exchange and how I could have stolen more!
http://www.reddit.com/r/Bitcoin/comments/1wtbiu/how_i_stole_roughly_100_btc_from_an_exchange_and/
Question,
Is BitFinex's Platform A.C.I.D. Proof ?
Basically financial software often deals with online transaction processing, which is basically what traditional, SQL-based database management systems are made for, they guarantee ACID:
Atomicity (processed as a whole, e.g. if transaction moves money from account A to B you cannot get to a situation when only one balance is updated)
Isolation (concurrent transaction do not interfere with each other)
Consistency (data always satisfies constraints)
Durability (data is stored permanently after transaction is committed)
In computer science, ACID (Atomicity, Consistency, Isolation, Durability) is a set of properties that guarantee that database transactions are processed reliably. In the context of databases, a single logical operation on the data is called a transaction. For example, a transfer of funds from one bank account to another, even involving multiple changes such as debiting one account and crediting another, is a single transaction.
Jim Gray defined these properties of a reliable transaction system in the late 1970s and developed technologies to achieve them automatically.
In 1983, Andreas Reuter and Theo Härder coined the acronym ACID to describe them.
SOLUTION:
OP managed to trick the exchange's database into forgetting he withdrew 100 BTC by simultaneously selling off several 0.0001 BTC units and getting one of the small transactions to clash and overwrite the large withdrawal.
So both operations read his balance of X BTC at the same time subtracted 100 BTC and 0.0001 BTC respectively. The first operation wrote back the balance of x - 100 into the database and the second operation then overwrote that balance with x - 0.0001, effectively giving OP back those 100 BTC.
One of the most basic things you need to take into account when implementing a database is record locking, to make sure only one operation can access a specific bit of data at one time and that any operation must relinquish control before another operation is allowed access, to make sure such clashes don't occur and corrupt the data.
REDDIT TITLE:
How I stole roughly 100 BTC from an exchange and how I could have stolen more!
http://www.reddit.com/r/Bitcoin/comments/1wtbiu/how_i_stole_roughly_100_btc_from_an_exchange_and/
Question,
Is BitFinex's Platform A.C.I.D. Proof ?
Basically financial software often deals with online transaction processing, which is basically what traditional, SQL-based database management systems are made for, they guarantee ACID:
Atomicity (processed as a whole, e.g. if transaction moves money from account A to B you cannot get to a situation when only one balance is updated)
Isolation (concurrent transaction do not interfere with each other)
Consistency (data always satisfies constraints)
Durability (data is stored permanently after transaction is committed)
In computer science, ACID (Atomicity, Consistency, Isolation, Durability) is a set of properties that guarantee that database transactions are processed reliably. In the context of databases, a single logical operation on the data is called a transaction. For example, a transfer of funds from one bank account to another, even involving multiple changes such as debiting one account and crediting another, is a single transaction.
Jim Gray defined these properties of a reliable transaction system in the late 1970s and developed technologies to achieve them automatically.
In 1983, Andreas Reuter and Theo Härder coined the acronym ACID to describe them.
SOLUTION:
OP managed to trick the exchange's database into forgetting he withdrew 100 BTC by simultaneously selling off several 0.0001 BTC units and getting one of the small transactions to clash and overwrite the large withdrawal.
So both operations read his balance of X BTC at the same time subtracted 100 BTC and 0.0001 BTC respectively. The first operation wrote back the balance of x - 100 into the database and the second operation then overwrote that balance with x - 0.0001, effectively giving OP back those 100 BTC.
One of the most basic things you need to take into account when implementing a database is record locking, to make sure only one operation can access a specific bit of data at one time and that any operation must relinquish control before another operation is allowed access, to make sure such clashes don't occur and corrupt the data.
Appears that this question was asked days ago before the problem occurred,
but got no response, would seem that a little more attention to details / customers questions
could avoid a lot of problems.
Interesting. But to be fair, the poster at reddit doesn't mention Bitfinex specifically, so there is the chance that it was another exchange that was exploited. It could even be Gox that was exploited! (maybe that would explain why they are not allowing BTC withdrawals! They are upgrading their security so it doesn't happen again!
)But I think Bitfinex's issue was different, it seems actually trading and borrowing was required for the exploiters to make money. Also try withdrawing 100 BTC from Bitfinex and you'll have to wait for it to be processed manually. While a 100 BTC withdrawal from Gox would likely be automatic (before they stopped BTC withdrawals).
Maybe Giancarlo can clarify whether it was Bitfinex that was contacted about this issue, if not it was probably Gox.
as far as I know nobody contacted us with this email, so it must be somebody else.....
thanks
Giancarlo
Bitfinex Team