Report of recent events that led to a temporary halt in withdrawals and trades

Permalink Report to webmaster

Introduction: the SVM deposits event

During the afternoon (in US Central time) of the past Sunday we detected a glitch in trading: a user launched a spread of trades in the middle of a massive deposit operation, causing the balances calculator to go haywire and start to accept invalid trades.

But it was not only one. Many users decided to take advantage of the flaw and started to get massive amounts of SVM and HTML even not present in the hardware wallets.

We started to check the issue and late that night we noticed some of the users that made those trades wanted to withdraw their profits. We declined the withdrawals, we needed more time to analyze the situation.

Accounts were disabled

Among the first actions, we disabled some accounts that looked as offenders. We got complains, but we couldn't let suspicious users go free and keep inflicting damage.

All stop mode engaged

After a long night reviewing evidence, we decided to stop withdrawals and disable posting trade orders. We sent a notification over our social network channels and replied to some users on our Telegram group regarding the decision.

With evidence in hand, we started to rollback trades

It would be easy to just throw down all transactions that happened from a specific hour and afterwards, but not all trades were invalid and not all users decided to ride the wave and try to get easy cash at other users and even our expense.

When we started to rollback trades, balances started to make sense, but there was a lot of noise caused by open orders.

All SVM dumps were thrown down

We went to the exchange and started to cancel/close all SVM related orders. Most of them had no trades, thus, they were deleted and balances were restored, but many of them had trades, so we just closed them and keep the successful trades.

Then we had a clear way to walk through, and offenders were easy to spot.

Dozens of trades were taken down

All the trades that were rolled back were left in the database, marked as rolled back. Everyone affected by them will see order reference and the original trade being executed, but with no amounts at all. Even fees were taken down.

The cherry on top: our email server was affected by an external event

Our web server is detached from the mail server, and the mail server had a software update that took the mail service down, and we didn't realize it until a user told us on Telegram that she was sending us emails and we weren't replying. When we saw proof of remittance and no trace of it in our inbox, we discovered the server issue.

Once we fixed the mail issue all emails sent by panicked users started to kick in, but we haven't replied to them at the time of writing this article because we were in the aftermath of the previous events.

The cause

We baptized it "The SVM affair" for a reason: massive deposits kicking in while users were taking advantage of price spikes put there by trolls. The combination of thousands of database operations and dozens of trades caused, as explained above, a glitch in balance calculations. Some of the trades didn't go through, but a couple of users bruteforced the trading system and started to earn profit with invalid trades.

Now, we're still a small exchange, and though we recently upgraded our web server, it doesn't have enough power to deal with the volume coming in from the SVM airdrop that started a few weeks.

Finally, the users that brute forced the trading system were properly identified and we have evidence in logs that clearly shows what they were doing.

Some accounts where re-enabled

Among the list of potential offenders that we disabled, we took back some of them that didn't systematically cheat the system and only made a handful of trades or were victims of the offenders.

Now here's a thing we want you to understand and memorize: everybody is innocent until they aren't. We have valuable users that notify us when they find a glitch in the systems, and those of you that are reading this and were aware that something was wrong and didn't tell us, well, you're the kind of users that aren't needed anywhere. And because of this kind of persons is that we have several locks in place. We might not spot weird behaviors immediately, but we are always watching, and we always take measures to prevent the same problem from happening again.

Greed, always greed

If you have been with us for some time now, you might have noticed that the exchange got flooded by hundreds of SVM sell orders sponsored by users wanting a quick buck by dumping those tokens they got for free.

Sadly for them, SVM is a new token and it doesn't have any value whatsoever, neither interest from traders of other coins in our website. Only a handful of SVM supporters decided to place buy orders, and among them, a handful of naughty users that made orders that threw unexperienced/desperate sellers to give their tokens for almost nothing of value.

We even replied to many users that didn't review what they were doing when accepting trades at ridiculous rates, E.G. 1 million SVM per 1 Doge, etc.

Actions were taken

One of our previous news posts explains that we enforced the tiers system and restricted payment methods to higher levels. That will help our exchange by making it harder to post orders with payouts by PayPal, deposit on bank accounts, etc. Leaving only people with more confidence to buy or sell cryptos for fiat.

But there's another couple of things we implemented: cooldowns and thresholds for order takers. This means that if you want to buy from someone's sell order, you won't be able to make more trades for some seconds/minutes. With this we will prevent floods like the ones that were thrown at us.

Other actions will be taken

There's another measure we will implement: buy/sell order ratios. We're still working on this, but once it is enforced, there will be no chance to dump coins or tokens on sell orders unless there's some corresponding amount of buy orders, E.G. for every 10 buy orders, only 20 sell orders can be live.

Also, we're going to implement forced expiration based on the trader's tier: lower tiers won't be able to have orders sitting forever in the exchange. They will be listed only for a few days.

The aftermath: successful trades and "wrong" balances

Among the support requests received by our tickets system we saw many users complaining about being victims of those trades at disadvantaged rates for them. But on the other hand, we have users complaining because they got 100k SVM for 1 DOGE and it was rolled back.

The exchange order composer has a pretty big section at the top explaining how it works:

Also, when specifying the price, there are instructions shown when clicking on the question mark as shown below:

Those instructions are there so they're read and understood.

Also, there's a help link on the exchange:

That link leads to our exchange crash course:

Even on our website's menu there's a link to that page in the "Docs" menu:

In both places we explain how the dynamic rates work.

Dynamic rates are inferred by the market makers

All cryptocurrency exchanges have a thing in common: they don't decide the exchange rate of a market. Users do that.

As previously mentioned, someone posted a trade for SVM/HTML at a very low rate for SVM and users started to take trades, complaining that they were stolen.

But they just didn't see what they were doing.

Then, after trades started to kick in, the market rates updated all outstanding orders placed by users wanting to dump their SVM at the market price without realizing that if the market had a spike, they would end up giving their tokens out for almost nothing in return.

All because they didn't read instructions, they didn't understand how our systems work, maybe they didn't even know how crypto trading works, and they were there only for a quick cash. Need or greed, name it as you like, but this is the sort of things that happen when you don't do your own research.

We're leaving everything as it is right now.

All balances sum up after our investigation. Some people have more of certain assets and less of other assets because they didn't pay attention to what they were doing.

You'll have to excuse us, because we can't do nothing to help you on that. We just take down what affects other or generates invalid numbers in our systems, but can't undo losses caused by lack of understanding, interest or laziness. We just can't.

In fact, we're unable to interfere in those situations, because you, users, are the ones that are responsible of your own actions. We can't take any responsibility whatsoever.

Scammers are everywhere

Part of the problem described above is present in our Telegram group, and even in our online chat.

We received reports of users asking for trades through private messages and running away with the assets.

Agreeing to trade in those channels is like throwing yourself off a bridge just because someone asks you to do so.

That's why we have an escrow exchange.

That's why we are enforcing measures to prevent our platform from being used by scammers.

But all our effort worth nothing if you, our end users, don't take proper measures yourselves.

Exchange is back online, withdrawals are back online

All systems are back to normal at the time we're publishing this article.

Then we'll get over the support area and start replying to users.

If you submitted a support request, please be patient. We have dozens of messages to read and it will take us several hours to get through them.

Just a favor: don't submit your requests more than once. Don't insist on asking for help on the same issue, because you'll be throwing yourself ahead and it will take us more time to review your case.

Final considerations

Once all systems are open we'll keep checking everything.

And, again, we rolled back invalid transactions, but left those that were successful and didn't add up negative balances or red flags in the ecosystem.

If you go and see your balances and find one of those trades at very low rates not being invalidated, just re-read this document and understand that, when you post an order at a market or dynamic rate, you are betting to earn big or loose big.

That's how open markets behave.

And we're an open market.

     

If you want to ask for help, don't post your inquiry in the comments area below. Send a support ticket. Leave only comments below. We will reply open questions, but personal inquiries will be deleted.

If you want more information about our evidence, post a support ticket asking for it and stating the very specific reasons why would you need to get that insight information.

If you want to get notified of our news posts, please follow us in our social network channels from the info menu.

    

One final reminder: we review withdrawal requests manually. And we tell you that in the assets' withdrawal pages. It takes us time, but we carefully review each case and discard them when a red flag lits on.

No funds are stolen in our watch.

And all our wallets are secure. With the proper funds.

     

Thanks to everyone that patiently waited for us.
And our most sincere apology for taking services down, but we have to do what it must be done to keep everyone safe.

    

Sincerely,

Alejandro Caballero
Partner and lead developer.

9 users rated this post.
Vote now!
Cumulative results: 41 points • Rating: 4.556

Do you know you can set a label to A.Caballero?

Blockchain Financial has a system that lets users stick labels to other users as an alternative way to show their appreciation or discontent for the contents of their posts or their attitude when commenting.
Do you want to be part of the elite? Become a valuable contributor!

Learn more about the user labels

Send a comment 4 comments

Leave a comment

Your name (required)
Your email (required)
Your website URL (optional):
Save your details in cookies (only on this browser)

Warning: we don't send personal messages

If you receive an SMS or a message from Telegram, Twitter, Facebook, etc. from someone saying anything about your account in BCF (compromised, hacked, requiring personal info, etc), it's a lie.

We only contact our users through our helpdesk system and using a specific email address: support@blockchainfinancial.com.
If we need to contact you by email, you'll be told in advance over a ticket and our agent's contact info will be provided.

Protect yourself and help us protecting your personal details by reporting to us over our support system when you're contacted outside of our scope before giving details to the suspect.