
BitGrail lost $170M because only client-side validation was used - tommoor
https://twitter.com/bascule/status/962740918053888000
======
PricelessValue
Reminds me of coinbase using mongodb with silent fail and no ACID transactions
a few years back. And of course the mtgox fiasco. The amount of amateurishness
in the cryptocurrency ecosystem is disappointing.

~~~
seabird
Hilariously enough, the only people to reliably _not_ completely biff
cryptocurrency service implementation have been illegal market sites. If they
didn't plan to run off with the money in the first place, sites like these
managed to operate for years at a time before (inevitably) being crushed by
the long arm of the law. Talk about do-or-die code correctness and validation!

~~~
theparanoid
BitWasp has had security bugs.

~~~
seabird
I'm going to wager that very few (if any) illegal marketplaces trusted a
codebase they didn't write entirely in-house, but that is just conjecture.

------
kaivi
There is a chat group in Telegram, called "BitGrail Trollbox". It doesn't have
a direct link, but one can join when searching the group name through client
application. The Bomber dude is there, and it seemed like there is a
discussion about what car to buy with all that money. I was removed from it
the instant I joined, maybe someone can join and quickly dump the chat log?

~~~
yorby
What car to buy with $170M? it must be a kid...

~~~
bb88
What country do you want to buy?

~~~
yorby
You probably could buy a really small island but it is probably a bad
investment since they are saying that the sea levels will rise...

------
fabian2k
This seems to be based entirely on an anonymous post, at least as far as the
linked tweet goes. It wouldn't really surprise me anymore if anything like
this happened, but there doesn't seem to be any evidence here. Or did I miss
something here and there is more than just the anonymous post here?

~~~
chrishn
Yeah, who'd believe an anon on 4chan...

------
ukulele
The referenced post [0] came to the same conclusion as my first thought: this
was very possibly an intentional security hole to allow someone on the team to
get away with something.

[0]
[https://amp.reddit.com/r/CryptoCurrency/comments/7wonkf/the_...](https://amp.reddit.com/r/CryptoCurrency/comments/7wonkf/the_stolen_xrb_has_already_been_redistributedsold)

~~~
highace
Don't attribute to malice what can be explained by stupidity ;)

There's been a shockingly high amount of young inexperienced devs involved in
building for crypto. I remember making similar mistakes when I was starting
out as a dev... except I wasn't solely responsible for systems handling
millions of dollars.

~~~
ukulele
Therein lies my skepticism. It's an industry that seems to be full of "oops we
lost your money, trust me" problems. Malice becomes a lot more likely when
life changing sums of money are involved.

~~~
jpatokal
Remember, a lot of these cryptocoins started out as toys, experiments or get-
rich-quick schemes that were never seriously designed to handle millions of
dollars. MtGox is perhaps the classic example here: the biggest Bitcoin
exchange of its time started out life as a Magic the Gathering trading cards
exchange, and just kept on hacking on that shitty codebase until it inevitably
got pwned.

------
philfrasty
They had multiple other „problems“, too. See for example
[https://www.reddit.com/r/RaiTrade/comments/7n0ou8/an_explana...](https://www.reddit.com/r/RaiTrade/comments/7n0ou8/an_explanation_of_how_the_shitshow_that_youve/)

The chat log from Exchange-Owner + Nano-team also speaks volumes
[https://www.dropbox.com/s/3g38y67luolfvqs/Colin_ZS_Bitgrail_...](https://www.dropbox.com/s/3g38y67luolfvqs/Colin_ZS_Bitgrail_chat_log.pdf?dl=0)

------
redm
I'm not so sure this was intentional, as some people have speculated, nor do I
see any evidence that a check was not previously in place. Remember when
Dropbox allowed anyone to login to an account without a password? [0] That
doesn't mean Dropbox never checked passwords, or intentionally dropped the
check. Especially in the crypto space, iteration happens fast and bugs like
this can come up. It seems pretty obvious that they not only had a defect, but
did not have the appropriate monitoring, or alternating in place to identify
the issue either. I try not to leave coin on exchanges due to hacking,
bankruptcy, fraud, etc.

[0] [https://www.cnet.com/news/dropbox-confirms-security-
glitch-n...](https://www.cnet.com/news/dropbox-confirms-security-glitch-no-
password-required/)

~~~
StreamBright
"Especially in the crypto space, iteration happens fast and bugs like this can
come up."

You think it is ok in the crypto space to itroduce bugs like this?

~~~
sincerely
I am struggling to read their comment in a way that suggests that.

------
almostApatriot1
I don't buy this claim. Negative numeric values would break the backend in 99%
of scenarios.

I also don't really buy the claims he personally was involved in stealing the
xrb. Bitgrail has existed for a while, and presumably the owner would have
some interest in XRB, probably owning a substantial amount since it was worth
nothing. Considering its meteoric rise, he probably became rich himself.

So why try to steal 170 million dollars in a scam where you're bound to be
accused of being suspect number 1?

~~~
cmer
I've been closing this very closely for a few months. I think he thought he
could arbitrage and benefit from the increase in BTC's price and get away with
it somehow. The market came crashing down, XRB got listed on Binance and
Kucoin and a lot of shadiness happened right around the same time.

I was expecting this "hack" to be announced and founder to exit-scam just
based on his behaviour and actions he was taking.

I wouldn't be surprised at all if he ended up in jail.

------
latchkey
Another interesting link that puts together a timeline of events:
[https://www.reddit.com/r/CryptoCurrency/comments/7wp334/the_...](https://www.reddit.com/r/CryptoCurrency/comments/7wp334/the_bitgrail_hack_what_we_know_and_what_we_dont/)

------
justherefortart
If this is legitimate, it's hilarious.

------
bb88
That's one way to short a cryptocurrency.

------
jimjimjim
remember, just ship it. doesn't work? ship it and let the users tell us what's
wrong. maintenance nightmare? ship it and then ship it's replacement later.
not designed for security? just get bob's cousin, who says he's a hacker to
try it, then ship it.

------
lsmod
php has nothing to do with it. Can't say the same for the second part though.

------
LyalinDotCom
Hire great people with a passion for the trade and most employers won’t have
to suffer through crap like this.

~~~
bdcravens
I believe we're seeing a generation of developers with passions for things
like client-side development and the "disruption" of cryptocurrency, who don't
see the server-side as the true gold in the vault that it is.

~~~
brailsafe
While I don't necessarily disagree, wouldn't this be more of an example of
naive server-side development? One of the first things you learn—as an
educated—front-end developer is that you don't trust the client.

~~~
dictum
MITM proxies are like port scanners - open secrets, trees full of low hanging
fruit. Every developer should play with one. It's eye-opening.

~~~
brailsafe
Agreed.

