

Date Wed 24 September 2014 By Neil Fincham Category Bitcoin, Hack Tags igot

I agonized a bit about if should post this, igot responded and acknowledged the problem but unfortunately they don't see it as a major issue at the moment saying "Since this is a small amount, this is not going to be investigated on priority."

My mind goes to MtGOX and Moolah though, both are recent examples of an exchange giving out more funds than the client had available (if we believe the official stories) and I think how things could have been different if the person that discovered a flaw in the exchange had, instead of doing what he/she did, informed the exchanges of the problem so the issue could be fixed.

Additionally, just submitting a bug report and leaving it at that is not an option in my mind, people deserve to know about issues like this before they decide on who to entrust their funds to. If it later comes out that the issue was not fixed or other issues were found and it lead to the loss of peoples funds wouldn't I bear a bit of responsibility? After all, I had known something was up, my silence is consent.

The Situation I am always on the hunt for a new exchange to use in New Zealand. We have one called BitNZ but the order book and volume is quite small. So a month ago when a new exchange called igot emerged that had New Zealand bank accounts I immediately headed over and made an account. It had been getting a few hits in the local press and it seemed that igot would be ideal for me. When I try a new service the first thing I do is perform a full "life cycle" functionality test. This test is not to look for vulnerabilities but to go through and use every aspect of the service that I will likely be using. For an exchange like igot the test would be something like this (I do not actually write it down and go through it, testing like this is just second nature to me and I barely think about it);- Log in/out and get a feel for the authentication. Deposit a test amount (0.1 BTC). Withdraw the test amount. That is as far as I got. Normally I would have then gone on to exchanging some bitcoins to fiat and then withdrawing the fiat but what happened with the withdrawal stopped me in my tracks.

The Problem As I mentioned, I got up to withdrawing my bitcoins. I had only deposited 0.1 BTC so I was expecting 0.0998 BTC after fees to be deposited into my withdrawal address. You can imagine my surprise when the transaction popped up in my client not once, but twice. Here are the transactions;- ec41bfe4b3e7afe7c9dba7838d9c5fda034af0996ba4116bdad92d1fc02b0562

dc54580d49705947b363caebc242c483f39e42f7f928832ad0c8a0594e081e08 As you can see, they were both generated at the same time (2014-09-21 23:58:28) and included 2 minutes later in block 465403 . I have the gmail timestamped withdrawal receipts for both transactions to prove it as well as the acknowledgement from igot that there was a problem.

Is this really a problem? In my mind I can already hear people saying "it was less than $100, what's the issue?". The thing is though, while I have not tried it, who is to say it won't work with 1 BTC or 50 BTC? If I could work out how to do this reliably, who is to say I could not have withdrawn my 0.1 BTC a thousand times. How about a million?

The Method I cannot say for sure why I got my funds back twice (I did not try to replicate the problem) but there was something unusual going on at my end. Since igot have not placed a priority on fixing this issue though I am not going to go into how I think the problem occurred. As any developer will tell you though, if it can happen once it can happen again, and if it can happen again an exploit can be made to make it happen. I bare igot no ill will and would hate form something I said to be replicated and used to drain their funds. I cannot remain silent though, if people have funds with igot they need to know that there is a problem.

What did I do? Start working on a framework to exploit the problem and withdraw as much as I can? Shame on you for thinking that! :) I immediately opened a ticket with support to notify igot of the issue;- (click for the full ticket log) URGENT!!! I am able to withdraw more funds than I have Hi Guys, You have an urgent issue, as I have said in the subject, I can withdraw more than have in my account, check my balance, it is -0.1! This is a link to the withdrawl address;- https://blockchain.info/address/1CXCzUhH1QJ1JfS2s4Bi5izFCy6Wdi4iU I withdrew 0.1, Yeah, nice try. It would hardly be effective redacting if I just made the background of the text black and left the text unchanged wouldn't it? There is no way I am going to tell you how I think this is done so don't even ask. Here are a few extra words for you to read. Neil P.S. If you want to call me my phone number is +64 21 xxxxxx My message to igot After a few days and providing a bit of extra information I got the message back from igot that I wanted to hear. They have acknowledged the problem and would be working to fix it;- Thanks a lot Neil. We will let you know the outcome soon. It is very unlikely that this would happen, but it has happened and we will get to the bottom of it.Igot support, Sep 23, 2014 At that point I sat back, confidant that the problems was going to be looked at and fixed. It seemed that there was not about to be another "MtGOXing". It was not until a month later that I thought to bring up the issue again and to my dismay find that they had mostly forgotten about it and were not going to do anything about it. Hello Neil, Thank you for contacting igot.com. This is a technical question that needs investigation. We're a small team and a ticket has been opened about this with our team. They will review and give their feedback when they get to the ticket. Since this is a small amount, this is not going to be investigated on priority. I will get back to you as soon as we hear from the team. Don't worry, we're not in the business to go belly up. Regards, Julie - Igot support Oct 23, 2014