[Fixed] Security bug found. Please withdraw fund from allcoin.com

mhps 2015-03-09 14:31:44 UTC #1

I find a bug with allcoin.com. Because of the bug users can obtain nushares that do not belong to them. I have filed a bug report using the exchange’s ticket system with details of how to reproduce the problem, and gave them a day before informing Nu community. I have also sent an email to the address given here. No answer specifically made to the report has been received.

I am not revealing the details of the bug for now, hoping that the exchange can plug the hole before many people start to exploit the exchange and possibly cause serious damage. Eventually (in a few days I guess) I will discuss the bug in the forum. In principle an attacker could get hold of basically the amount in NSR hotwallet. However it takes some luck, resource, and effort to get hold of a lot of coins, so allcoin is not highly likely to go under in a flash.

I am not sure if the problem is only related to nushares. I suggest users withdraw funds from allcoin.com, especially if it’s NSR, before the situation is clear. I have sent a PM to @jmiller, the LPC on allcoins earlier today.

Now someone please find a way to ask allcoin to check the ticket filed 22 hours ago.

About the NSR bugs on AllCoin.com Mark@AllCoin

CCEDK offers liquidity on both buy and sell side of their 6 trading pairs to support Nubits and Nushares!

creon 2015-03-09 14:39:00 UTC #2

Good job. Mark seems to be in charge of all these things and I also requested my API keys from him at mark@allcoin.com (which is the address you were probably using). You can also try to reach him in the chat box.

They should pay you a decent bounty for a bug of this dimension.

cryptog 2015-03-09 14:52:03 UTC #3

Good job @mhps

Hyena 2015-03-10 07:49:23 UTC #4

Is this also the reason why NSR trading pair is missing now?
https://www.allcoin.com/trade/NSR_BTC

JordanLee 2015-03-10 07:52:45 UTC #5

It has come to my attention that Allcoin.com has halted trading of NSR and NBT within the last couple of hours. Withdrawals and deposits (of NSR and NBT) are also disabled.

I don’t know what prompted this, so if anyone has more information, please share it with the community.

xiaomin1681 2015-03-10 10:59:13 UTC #6

This is Allcoin.com give me back the mail!
Hello:

Thank you for your feedback, the reason is because the initial identification NSR wallets and purses are not the same as others, the change of address may change due to the local user’s system. Contact Nubits team already dealing with related issues.

cryptog 2015-03-10 11:00:36 UTC #7

nsr/btc is back on allcoin.com .

mhps 2015-03-10 12:37:11 UTC #8

Is this site being DDOS’ed? It’s been almost impossible to connect.

Quick answer – allcoin support has replied my ticket mentioned in the OP:

Sorry for the delay, we’ve closed the NSR and NBT markets to fix the bugs.

Hopefully the bug is easy to fix and NBT and NSR will online soon again.

mark_allcoin 2015-03-10 12:57:12 UTC #9

@mhps I’m Mark@AllCoin, we did make some mistakes.On this bug, we lost some coins in our hot wallet 150,000 ~ 250,000 NSR(about 3~5 BTCs). Because we locked some strange account, we need some time to calculate the balance. We can afford the lose and customers won’t lose any coins.

Only NSR market has the problem.

this is the official document. http://docs.nubits.com/v1.0/docs/integrating-nubits-or-nushares-with-an-exchange . These’s a special argument: avatar=0
we added NBT before NSR, because NBT wallet run very well, so we forgot to add avatar=0 to our NSR config file.
But the NSR wallet put change to the input address, which means if A has 10 NSR, then I send B 1NSR, then the change address is A, so we’ll find that A have another 9 NSR deposit.
But NBT is not the same as NSR, NBT withdraw system is the same as the BTC wallet.

After we checked all our NSR account, we’ll re-open the NBT NSR deposit and withdraw.

Thank you.

mhps 2015-03-10 13:11:37 UTC #10

Since @mark_allcoin has explain the bug, I won’t repeat the descriptiion. Just a little warning to futre exchange owners of this bug: it could be costly – One could trigger change by withdrawing from one’s own account to try to maximize return (with the help of a block explorer). The easiest way to take advantage of the bug would be to deposit lots of shares to your account and wait other people to use your deposit address to withdraw. All changes would go to you. When your address is almost empty, you withdraw everything (now from someone else’ addresses). Then repeat. If not stopped this exploit can cost almost all amount in the hotwallet.

tehter 2015-03-10 13:27:50 UTC #11

So they are relying on the built in accounting system? That is very bad.

mark_allcoin 2015-03-10 15:21:59 UTC #12

All deposit system are relying on the wallet account system or public keys.

tehter 2015-03-10 18:55:39 UTC #13

That is very bad. The account system within bitcoin is notorious for being inadequate for production use. What is your background? Do you have a degree in computer science? What university?

tomjoad 2015-03-10 18:57:43 UTC #14

Let’s not devolve into ad hominem attacks please. Any debates about exchange structuring should be strictly limited to facts.

tehter 2015-03-10 18:59:35 UTC #15

Is that ad hominem to point out that someone who operates a cryptocurrency exchange doesn’t have basic developer knowledge about cryptocurrency?

This laxadasical attitude towards exchange operators is why CCEDK is able to run an insolvent exchange and maintain large volume while no media comments on their hack.

tomjoad 2015-03-10 19:02:15 UTC #16

If your argument relies on questioning the personal credentials of someone, then yes, by definition it does.

We’ve been successful on this forum so far with very limited moderation, but if the tone begins to turn to personal attacks we will begin moderating more heavily.

I will repeat for clarification: any and all structural issues related to exchanges should be discussed openly. We encourage it, as shown by Jordan Lee immediately posting the email from CCEDK. Finding and solving exchange vulnerabilities contributes to a stronger Nu ecosystem. Simply attacking the personal characteristics of exchange operators does nothing to solve those problems.

willy 2015-03-10 19:03:11 UTC #17

            $ 54

tehter 2015-03-10 19:04:57 UTC #18

Still where are the news articles? Announcements? Anything? They are operating like nothing happened.

willy 2015-03-10 19:06:09 UTC #19

No volume equals no operation to me.
I was wondering about the current state of CCEDK as well, especially because the thread discussing their problems has been quite silent.

tehter 2015-03-10 19:06:39 UTC #20

The operator in question clearly is not equip to operate an exchange if they don’t know the fundamentals of the software they are running. It is legitimate line of inquiry to find out a persons background to see if they are qualified to handle as much money as they do.