Digital currency exchange Poloniex, which trades bitcoin and other popular digital currencies such as litecoin, namecoin and dogecoin, has lost 12.3% of its total bitcoin supply in an attack.

The exchange took to Bitcoin Forum on 4th March to report it had been compromised by a previously unknown vulnerability in its coding.

Writing under the username Busoni, Poloniex owner Tristan D’Agosta, moved to calm concerned users by explaining what lead to the hack, as well as what the next steps from the company would be.

D’Agosta explained:

“The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.”

D’Agosta also detailed the exact process by which transactions on the exchange were confirmed to highlight the error, and further, took full responsibility for the loss, stating that he plans to repay the company’s customers.

According to a Twitter post from the company, the original attack occurred during the early morning hours of 4th March.

Aware that markets are frozen. Some BTC was stolen. Details coming as soon as possible. — Poloniex Exchange (@Poloniex) March 4, 2014

Behind the hack

Due to its current bitcoin shortage, Poloniex indicated that all customer balances would temporarily be reduced by 12.3% “out of absolute necessity”. D’Agosta suggested that this was the only way that bitcoins could be distributed fairly among affected users.

“If I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren’t left in that remaining 12.3%.”

Poloniex plans to record the balances and to pay back customers using exchange fees as well as personal contributions. As a result, he indicated that all exchange fees would be temporarily raised to 1.5%, up from 0.2%. Altcoin and bitcoin withdrawals have since been reinstated, going back online on 4th March after less than a day’s delay.

— Poloniex Exchange (@Poloniex) March 4, 2014

System changes

D’Agosta did also credit his design with preventing a more massive bitcoin loss. For example, he noted that the company’s existing security features noticed the unusual withdrawal activity and froze affected accounts.

In the attack announcement, D’Agosta listed a number of next steps his company would follow, including updating the withdrawal daemon to check for negative balances before processing withdrawals and freezing any account with a negative balance.

According to its Twitter feed, updates have already been made.

Withdrawal system redesigned, now requests are processed sequentially from a global command queue. — Poloniex Exchange (@Poloniex) March 5, 2014

Moving forward

D’Agosta expressed his apologies for the attack and appealed to the community for continued feedback on he could improve the service. Said D’Agosta:

“I do not have the money to wave away the debt, so we’ll need to work together.”

Response from the Bitcoin Talk community was largely positive, with many commenters posting messages of support for D’Agosta and his exchange.

Notably, the announcement follows a recent rush of attacks against bitcoin services, including Mt. Gox, Silk Road 2.0 – which has also embarked on a repayment plan, and Alberta-based “bitcoin bank” Flexcoin, which shut down its services on 4th March after losing $600,000 in bitcoins.

Image credit: Cybercrime via Shutterstock