Hackers found security weaknesses that allowed them to overdraw accounts with Flexcoin and Poloniex, two websites that facilitate bitcoin transactions, and exploited them to steal bitcoins from the two services. The attacks put Flexcoin out of business and cost Poloniex's users 12.3 percent of their bitcoins.
Flexcoin, which described itself as the "world's first bitcoin bank," announced Monday that it was closing down after hackers stole 896 bitcoins worth around US$600,000 from its "hot wallet" -- a bitcoin wallet connected to the Internet. The company released more details about the hack in an update posted on its website late Tuesday.
The attacker first created a new Flexcoin account and deposited some bitcoins into it, Flexcoin said in the update. He then "successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to 'move' coins from one user account to another until the sending account was overdrawn, before balances were updated. This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins."
The company described the vulnerability as a flaw in its front-end, but did not clarify why its system didn't account for overdrawing.
"The description from Flexcoin reminds me of vulnerabilities I used to see in online banking applications 10 years ago," said Amichai Shulman, CTO of security firm Imperva, via email. "An individual vulnerability is excusable, not having monitoring in place to timely detect it is not."
"Without more details, it's hard to say exactly how complex the condition was, but the fact that it required multiple active accounts and requests does make it less likely that they would have found this condition through basic testing," said Tim Erlin, director of security risk strategy at security firm Tripwire, via email.
However, whether the vulnerability was complex or basic is not as important as the impact it had, Erlin said. "The seriousness of the flaw is evidenced by the impact: Flexcoin is out of business."
A bitcoin exchange called Poloniex also announced Tuesday that an attacker stole 12.3 percent of its funds using a technique that resulted in overdrawn accounts. However, it's not clear if the attack is related to the one against Flexcoin.
"The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time," a user named busoni, who identified himself as the owner of the Poloniex exchange, said on the BitcoinTalk forum. "This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon. The major problem here is that the auditing and security features were not explicitly looking for negative balances."