Preview of PDF document poloniex.pdf

Page 1 2 3 4

Text preview

POLONIEX Security review

What is Poloniex?
Poloniex is the largest altcoins trading platform in the world. With over 30 000 bitcoins volume every
day, they are leading the so volatile and controversed altcoins market.
Funded by Tristan d’Agosta, the young director of the Poloniex start-up studied at the Rutgers
University and got his Arts & Music Bachelor in 2009. He firstly created Polonius Sheet Music in
October 2010 before finally launching Poloniex trading platform on January 2014. This success story
let him and his team earn - with approximately 0.01% fees on each trade - a total of 60 bitcoins
every day ($36600/day on 09/10/2016).

Why is Poloniex insecure?
As of 07/10/2016, I have found the 3rd vulnerability in 1 month of my really light testing. Firstly, you
would like to know that I’m in any case an experimented neither diplomed web pen tester but just
someone who likes to know having its funds in security. During those test, I have seen brain
damageable code and irresponsibility of the Poloniex support as well as lack of customers’

This is a list I will come back on my article of Poloniex’ bad coding practice:


Using GET request instead of POST for every crypto currency transactions without any CSRF
tokens! (1)
No type check (2)
Client side security (3)

It would be good to remember that Poloniex has already been hacked and lost 12.3% (approximately
50 BTC) of their Bitcoins. As Poloniex support Busoni declared on bitcointalk, “The hacker discovered
that if you place several withdrawals all in practically the same instant, they will get processed at
more or less the same time. This will result in a negative balance, but valid insertions into the
database, which then get picked up by the withdrawal daemon.” So what did happen really? Poloniex
is using PHP + nginx for their server. Nginx is multithreaded it means it can perform many request at
the same time, if the 2 withdrawals request are being performed in 2 different threads at the same
time both of them will be validated because the first thread didn’t update the number of bitcoins
from one user in the database for the withdraw that the second thread already picked the number of
bitcoins available from it.