MapleChange’s explanation as to how it was hacked is leading to more questions…
The small Canadian cryptocurrency exchange MapleChange has found itself in the limelight this week, following an apparent hack on its servers that saw it go offline, leaving many irate customers wanting their refunds.
Fuel was poured on this particular fire too when MapleChange’s idea of crisis management was to promptly remove its social media channels, the only way it realistically had of communicating just what had happened. As such, it’s been fighting off accusations of an exit scam ever since.
Furthermore, as we reported yesterday, its social media channels came back online coincidentally after some users managed to track the people behind the exchange down.
Now, MapleChange has posted – via Pastebin, in a post marked ‘Untitled’ – an explanation as to just what happened last weekend, although it doesn’t seem to be placating too many people just yet.
It argues that its hack occurred after it upgraded its software on October 27th, an upgrade that had been pre-empted on its Twitter account.
It explained that MapleChange “was originally constructed based off the open-source framework called Peatio”. The update it undertook last week saw it move its source from “Ruby 2.2.1 and Rails 4 to 2.5.1 and Rails 5 respectively”, which in turn it says “required massive rewrites to the code and enhancements such that it would be compatible with the new dependencies”.
“We believe this is primarily one of the sources for the bug. Had this following function been properly monitored, it would’ve raised an error when one would go below negative balance and simply error out the entire order without continuing”.
But that didn’t happen.
Instead, MapleChange argued that the hackers were well aware of how the code would run (which itself begs a security question or two), and thus started using it to remove funds from accounts. That an exploit was in place to remove funds from one account and add them to another, with no limits in place (which begs even more security questions).
This was one of two possible methods by which MapleChange reckons it was hacked. The other, it says, “would have to do with how the orders were forced into the order book without any restrictions. This may have been largely due to the fact we have upgraded the entire engine”.
Judging by the Twitter responses to the post, it’d be fair to say that not everyone is convinced by the explanation. Here’s just a sample…
— CryptoFatCat (@bbmk859) October 31, 2018
Opensource Crypto Exchange script… Ouch… So you basically were running WordPress? 😀
— SC (@samplescanadaca) October 30, 2018
Why aren’t you responding to @CryptoKoson or Nerva? You bypassed and ignore me while sending our users coins to a random community member. Additionally, if you only had 30kUSD worth “stolen” why did you shut down. There are so many holes in this story. And where’s my XMR? #Shady
— Mutex Crypto (@mutexcrypto) October 30, 2018
MapleChange reckons it’s trying to refund as many users as it can. Its website still points to a GoDaddy holding page, incidentally, and has been down all week.