Thursday, December 26, 2013

Hashcows Christmas Eve Hack -- What Now?

I've been around the BTC world for a while now, and people running off with your coins is far from unusual. I lost about 50 BTC in the implosion of Bitcoinica, and I witnessed all the PirateAt40 shenanigans, for example, and there have been more than a few collapsed exchanges and pools. When things go wrong, everyone starts by talking a good game -- "We'll figure out what went wrong and then reimburse people as we're able!" A few days turns into a few weeks, then a month, and then suddenly silence. Then maybe a final message saying, "We're almost done and will reimburse next week..." and that's it.

So what's going to happen with Hashco.ws? At first I thought they might just fix a minor security flaw and then move on, maybe with some 0% fees for those that had BTC stolen, or maybe paying out refunds as they were able. After all, we're "only" talking about a 40BTC heist, give or take. However, 40BTC is still worth roughly $30,000 so for two guys running a pool that could represent a lot of money. And if they can't actually fix the security vulnerability properly, calling it quits might be best.

At present, the Hashco.ws site is in "read-only mode" for BTC withdrawals, and if you weren't actively logged in at the time the site went into lock down, you can't see your balances, workers, etc. I'm lucky in that I have a PC that was logged in, so I can see what's going on. I have nearly 0.40 BTC in earnings I haven't not yet collected, and I'm certainly worried that I may never be able to collect. Not surprisingly, my choice has been to move my mining operations elsewhere on most of my systems -- Middlecoin is my poison of choice for now, so we'll see how that goes.

I wish those involved with Hashco.ws the best of luck, and I really hope they can rectify the problems and get the site back up and running, but even though my current estimated payout per day is looking quite good (something like 0.02 BTC per MHash), I'm not going to risk mining there until they're running properly, with working logins and payouts. I'd suggest at the very least diversifying your mining portfolio in the short term.

Merry Christmas -- definitely a lousy way to wake up, which is why I'm glad I don't run a mining pool!


Update: Hashco.ws has posted the following as of this evening. It looks like they're trying to do the right thing and cover the losses for most of the miners. How long will it be before the site is back to normal and regains all trust? That's yet to be determined....

As has been mentioned in an earlier update, on December 24th 2013 someone was able to modify the Bitcoin payout addresses of many users of Hashcows, and trigger a manual cashout of current balances. 754 total users (out of a total of 8,142 registered users, 5,000+ of which have a BTC balance > 0) had BTC removed from their accounts, accounting for approximately 14.2% of users who held BTC on Hashcows. A total of 40.7815 BTC was removed and sent to address 13R87ropkDKzDEuVeQoX64kkcLvPWVdTKH. Hashcows staff have followed up with all major exchanges and a number of other large pools to confirm if they had any trace of this address in their systems, which as of this time has not turned up any useful results.

Since the attack was noticed on the 24th, we've placed the site in a locked down read-only mode, and disabled all payouts. While we understand this has caused some frustration among users, not being able to see if their accounts were affected, we felt it was the responsible course of action to take, given we knew we were unable to dedicate the time required to diagnose and address the security issues on Christmas Eve and Christmas Day.

We've been working since this time, both in determining the cause of the attack, and its potential scope, including an external audit of the source code by a trusted 3rd party. At this time the belief is still sql injection, based on the nature of the attack and how it was carried out. However, regardless of the technical results of ongoing audits, 2 things are confirmed. #1 The web instance and the mining/stratum instances are physically seperate. The mining instance remains unnafected by the web based lockdown, which is why mining continues to function as usual. #2 The web front-end is undergoing a rebuild from scratch as we speak, by both myself and another developer, utilizing different technologies, improved security features, and new hardware. We hope to have a basic version of this up in the coming days.

What does this mean in the immediate future? We'd prefer to not turn on write access for the website in its current form, but obviously understand people can't be expected to wait much longer for balances held up by the system (both old balances still intact, and earnings mined over the days since lockdown). We'll be posting a simple tool for people to use, allowing you to login with your credentials, at which point it will send out an email verification link, including your current balance and payment address the site has for you. Once clicked, your balance will be sent to the address specified. If you need to make changes to these details, instructions will be provided on the tool page. We hope to have this posted by tomorrow.

Last but not least, perhaps the question many have been waiting for an answer on. What does Hashcows plan to do about the missing 40 BTC? We've thought long and hard on this, and its obviously one of the most important decisions we'll have made in our short existence as a pool and community. Its a situation and decision that has hung over us throughout the last couple days spent with family.

Hascows will be re-imbursing every miner 100% of losses incurred on earnings made within the last 7 days prior to the incident (Dec 17th's payout inclusive). This means any funds you earned between Dec 17th and Dec 24th that were cashed out of your account by the attacker, will be re-added to your account at Hashcows expense. This payout will recover 100% of losses for 463 of the 754 affected users. For the remaining 291 users, we'll be offering reduced fees of 0.5% for at least the next 60 days to help with any shortfall.

In closing, both aTriz and I want to make a statement on more of a personal level, we have been absolutely stunned by the community that you have all created with this pool. There has been a tremendous amount of support and encouragement through these not so fortunate times and we would personally like to say Thank You. We look forward to the future of this pool while we begin the rebuilding stage which will continue to bring this wonderful community more features, more safety, more support, and more cows!

nearmiss.

4 comments:

  1. How did hashcows compare to the other mining pools as to ROI? It would seem Doge coin is the coin currently most profitable according to the multi pools? Did you end up with a lot of Doge while with hashcows?

    ReplyDelete
    Replies
    1. Hashcows was usually better than the other two major multi-coin pools (Middlecoin and Multipool), as far as I can tell. However, the other two don't really publish any information on profitability so it's difficult to say. Anyway, Hashcows was giving me about twice what I would get mining LTC. With DOGE, people did even better (4X or more relative to LTC), but I think that's trailing off now.

      Delete
    2. I'd have to agree with Jarred and once they are up and running again I'll switch back (been mining dmd since the hack). There is a definite difference in opinions as far as if publishing that information is better or worse. Some say that middlecoin had a one up on the doge rush because they dont publish but I haven't tried to mine with them yet.

      Delete
    3. One thing I really dislike with Middlecoin is that there's no worker information, so you have no easy way to see if one of your rigs stops mining. And as for Multipool, manually having to trade each of the coins can be a real pain. But so far neither of those pools has had a major security flaw that allowed a hacker to steal 40 BTC. :p

      Delete