So many exchanges have been hacked…
mtgox, bitstamp, bter (twice), allcoin, vircurex, btc-e, CCEDK
For that reason, I don’t trust any of these. When choosing the next trading platform for nsr and nbt trading I am considering poloniex. However, I am not familiar with their past. Has poloniex been hacked in the past?
Yes, Poloniex was hacked. I remember them loosing 12.XX% of all Bitcoins. It was due to some silly mistake in their engine; you want to google this I forgot the details.
However they have repaid their debt since and continued operating without issues.
crazy… something has to be done about it. my speciality is cyber security and designing secure applications is intrinsic to my skills and education. seeing so many hacks leaves me wondering whether the developers are so noobs or it is really that hard to build a hack proof exchange. I tend to suspect that most of these hacks have been performed with the help of inside information, perhaps even to the extent that developers have knowingly left security holes/backdoors in the exchange.
maybe some kind of decentralized crypto currency trading system should be developed: every trader should run a bot and trades would be made directly between traders so that the central server would not hold any coins but would just provide a lobby for the bots to match trades. should 2 bots agree on a price they would gradually exchange the currencies. by gradually sending the coins to each other the risk of fraud is minimized. if the other party fails to send you the required amount of coins you would not send them the next chunk of coins. the latter strategy could be made more effective with some kind of decentralized trust feature or proof of work requirement.
Technology to keep coins safe at exchange exists already, just people do not use it for some reason.
Linux security has come a long way, using that with sane design (isolation, modularity) and multisig for wallets should prevent theft.
What you propose for exchange is interesting. I need to think more about it.
exchanges should simply use a chunk password ill give you a example on the trade
a seller as 2000 nrs for sell he set the sell for 0,0008000 the system send hes 2000 nsr to a cold wallet with chunk password the first pass is by the exchange to retrieve funds nsr the second pass is use when the sell is bought a message is sent to the seller asking him for the password to release the funds with time limit too entre the password or the sell it cancelled
same for the buyer orders once the sell is confirmed the system will ask the buyer for the chunk password to release the btc fund or what ever currency
this option can be added in the user option profile if the chose to use it or not with notice not to lose the chuck password warning etc once enable even if a hacker gets a copy of wallet.data or even the key they will needs keys from separate users to get encrypted unknown from the exchange it self
Interesting… I think that’s the way to go. The exchange’s interface should deterministically generate keys in the user’s browser according to the password the user has entered. those keys would be used to release funds (or sign transactions) after a trade has occurred. Since the user interface is pure javascript, its integrity can be verified on demand and periodically. Anyone could build a script that would download the .js files of the exchange, calculate sha256 hash of those files and compare the hash to a known hash published by the exchange operators. Whenever the hash does not match the exchange should be considered unsafe for use.
Seeing how many exchange operators have been able to run away with customers money, and seem to get away with it, it is not a surprise that some operators regard exchanges often being hacked to be a feature, not a problem.
/mercury-alpha-released-dex/1688/7
/the-decentralized-exchange-development-watcher-thread/1572/6