dashed-slug.net › Forums › General discussion › User created fictitious coins
- This topic has 3 replies, 2 voices, and was last updated 2 years, 2 months ago by alexg.
-
AuthorPosts
-
June 19, 2022 at 7:04 am #11820LeinAdParticipant
hey alex. i wrote you an email for this. how can an user add coins to his account without deposit and make and withdrwa then from hot wallet?
August 9, 2022 at 7:09 am #11982alexgKeymasterHello,
This is very easy to do with wallets 6.0.0 from the admin interface. In previous versions of the plugin you had to insert rows to the database or perform an airdrop.
with regards
P.S. Apologies for the late reply. I wasn’t notifies about this thread. I will look into this.
August 16, 2022 at 1:47 pm #12023LeinAdParticipantyou understand me wrong. i am running wallet 5.x
someone added more coins to their account and i don’t know how. as an example: he added 1 eth to his account without making a deposit. that means he somehow did it by order. this eth wasn’t about coinpayments. but: since he now has this eth in his account, he could withdraw it. that went on until the hotwallet was empty.
somehow added coins, database found it ok and gave her ok for the withdrawal
August 17, 2022 at 8:56 am #12024alexgKeymasterOK, now I understand your question.
It is not possible for users to add a transaction manually via the plugin. I am not aware of any security vulnerabilities in the plugin that would allow this. If you find any, please let me know.
WordPress is not very secure by default, because it’s a popular platform, and because of plugins of varying quality. You need to work hard to make it secure. Keep updates, only install a small set of reputable plugins, harden the security in other ways, etc.
If a hacker has managed to gain admin access, they can manipulate the database freely. This is why, as I have already mentioned, you must save the access logs immediately after the breach, before they are tampered with. A security analyst can check the logs (web logs and database logs) to see when someone might have inserted a row and from which IP.
As a precaution, because there is no such thing as a secure system, you must always keep a large percent of the user balances in cold storage. This way, in case of a breach, not all funds are stolen. Since even large exchanges with dedicated security teams get hacked routinely, you cannot expect your WordPress installation to be 100% secure. You must take additional precautions. I have added disclaimers about this in the plugin.
If the hacker was not very smart and did not use a relay, then you can use the time and IP you get from the logs to go to the police. I am not an expert in how this works, but this is the general idea.
Hope this helps. Best of luck.
with regards
-
AuthorPosts
- You must be logged in to reply to this topic.