How Bigrail lost $170.000.000 in Nano - WTF

in #cryptocurrency7 years ago (edited)

As a dev, I'm always interested in how things work - and of course also how thinks should not work.

From time to time really bad news are hitting the crypto community, same happend on Feb 8th when BitGrail got bankrobbed and someone has stolen $170 MIO in Nano. So how the heck is something like that possible?

Now, a few days after the hack, light comes into what happened and the truth is really unbelievable!

There was a bug, on the withdraw page.

But this check was only on java-script client side, you find the js which is sending the request, then you inspect element - console, and run the java-script manually, to send a request for withdrawal of a higher amount than in your balance.

Bitgrail delivered this withdrawal.

How many people did this? Who knows. This bug was later closed.
Discussion on Reddit

So why the hell will someone, who is trying to do a serious business, implement something like that!?
Was there really something within the withdraw page like

if (user.balance >= transaction.value) submit();

How can a dev be that stupid!? I've no words for that

Bitgrail.png