The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.”
The hack resulted in the theft of 12.3% of Poloniex’s total Bitcoin supply, or a little over 76 BTC according to Blockchain. Relative to the Mt.Gox and Flexcoin thefts, this number is quite small, amounting to roughly $50,000. But D’Agosta explained that he was unable to cover the loss.
If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don’t, and I can’t just pull it out of thin air.
He did, however, outline a plan for fixing the problem and keeping the exchange afloat until lost user funds could be repaid.
The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone’s balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity–if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren’t left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair–some people would get all of their money right away, and a few would get none right away.
Reaction to this hack has been relatively mild, and even supportive, as D’Agosta’s candidness about the situation seems to have resulted in begrudging acceptance from customers. As bad as the loss is, the attitude seems to be, at least it’s not Mt.Gox. Trading and withdrawals on Poloniex were resumed a few hours after the attack following the implementation of code fixes.