[Fixed] Security bug found. Please withdraw fund from allcoin.com

I find a bug with allcoin.com. Because of the bug users can obtain nushares that do not belong to them. I have filed a bug report using the exchange’s ticket system with details of how to reproduce the problem, and gave them a day before informing Nu community. I have also sent an email to the address given here. No answer specifically made to the report has been received.

I am not revealing the details of the bug for now, hoping that the exchange can plug the hole before many people start to exploit the exchange and possibly cause serious damage. Eventually (in a few days I guess) I will discuss the bug in the forum. In principle an attacker could get hold of basically the amount in NSR hotwallet. However it takes some luck, resource, and effort to get hold of a lot of coins, so allcoin is not highly likely to go under in a flash.

I am not sure if the problem is only related to nushares. I suggest users withdraw funds from allcoin.com, especially if it’s NSR, before the situation is clear. I have sent a PM to @jmiller, the LPC on allcoins earlier today.

Now someone please find a way to ask allcoin to check the ticket filed 22 hours ago.


Good job. Mark seems to be in charge of all these things and I also requested my API keys from him at mark@allcoin.com (which is the address you were probably using). You can also try to reach him in the chat box.

They should pay you a decent bounty for a bug of this dimension.

1 Like

Good job @mhps

Is this also the reason why NSR trading pair is missing now?

It has come to my attention that Allcoin.com has halted trading of NSR and NBT within the last couple of hours. Withdrawals and deposits (of NSR and NBT) are also disabled.

I don’t know what prompted this, so if anyone has more information, please share it with the community.

This is Allcoin.com give me back the mail!

Thank you for your feedback, the reason is because the initial identification NSR wallets and purses are not the same as others, the change of address may change due to the local user’s system. Contact Nubits team already dealing with related issues.

nsr/btc is back on allcoin.com .

Is this site being DDOS’ed? It’s been almost impossible to connect.

Quick answer – allcoin support has replied my ticket mentioned in the OP:

Sorry for the delay, we’ve closed the NSR and NBT markets to fix the bugs.

Hopefully the bug is easy to fix and NBT and NSR will online soon again.

1 Like

@mhps I’m Mark@AllCoin, we did make some mistakes.On this bug, we lost some coins in our hot wallet 150,000 ~ 250,000 NSR(about 3~5 BTCs). Because we locked some strange account, we need some time to calculate the balance. We can afford the lose and customers won’t lose any coins.

Only NSR market has the problem.

  1. this is the official document. http://docs.nubits.com/v1.0/docs/integrating-nubits-or-nushares-with-an-exchange . These’s a special argument: avatar=0

  2. we added NBT before NSR, because NBT wallet run very well, so we forgot to add avatar=0 to our NSR config file.

  3. But the NSR wallet put change to the input address, which means if A has 10 NSR, then I send B 1NSR, then the change address is A, so we’ll find that A have another 9 NSR deposit.

  4. But NBT is not the same as NSR, NBT withdraw system is the same as the BTC wallet.

After we checked all our NSR account, we’ll re-open the NBT NSR deposit and withdraw.

Thank you.

Since @mark_allcoin has explain the bug, I won’t repeat the descriptiion. Just a little warning to futre exchange owners of this bug: it could be costly – One could trigger change by withdrawing from one’s own account to try to maximize return (with the help of a block explorer). The easiest way to take advantage of the bug would be to deposit lots of shares to your account and wait other people to use your deposit address to withdraw. All changes would go to you. When your address is almost empty, you withdraw everything (now from someone else’ addresses). Then repeat. If not stopped this exploit can cost almost all amount in the hotwallet.


So they are relying on the built in accounting system? That is very bad.

All deposit system are relying on the wallet account system or public keys.

That is very bad. The account system within bitcoin is notorious for being inadequate for production use. What is your background? Do you have a degree in computer science? What university?

Let’s not devolve into ad hominem attacks please. Any debates about exchange structuring should be strictly limited to facts.

Is that ad hominem to point out that someone who operates a cryptocurrency exchange doesn’t have basic developer knowledge about cryptocurrency?

This laxadasical attitude towards exchange operators is why CCEDK is able to run an insolvent exchange and maintain large volume while no media comments on their hack.

If your argument relies on questioning the personal credentials of someone, then yes, by definition it does.

We’ve been successful on this forum so far with very limited moderation, but if the tone begins to turn to personal attacks we will begin moderating more heavily.

I will repeat for clarification: any and all structural issues related to exchanges should be discussed openly. We encourage it, as shown by Jordan Lee immediately posting the email from CCEDK. Finding and solving exchange vulnerabilities contributes to a stronger Nu ecosystem. Simply attacking the personal characteristics of exchange operators does nothing to solve those problems.

            $ 54

Still where are the news articles? Announcements? Anything? They are operating like nothing happened.

No volume equals no operation to me.
I was wondering about the current state of CCEDK as well, especially because the thread discussing their problems has been quite silent.

1 Like

The operator in question clearly is not equip to operate an exchange if they don’t know the fundamentals of the software they are running. It is legitimate line of inquiry to find out a persons background to see if they are qualified to handle as much money as they do.