Web Host Chat - The UK's host forum since 2001!
Colocation Rack Services
UK Web & Reseller Hosting
UK Leased Lines
VMWare Cloud Servers
Advertise here!
Data Centres

New Silk Road hit with $2.6 million heist due to known Bitcoin flaw

"Transaction malleability," which worried Mt. Gox and Bitstamp, strikes again.

Not only are Bitcoin trading sites like Bitstamp and Mt. Gox susceptible to the recent accleration of the "transaction malleability" problem, but apparently the Silk Road—or at least its newest incarnation—is too.

Is this the end for Bitcoin as we know it?
Posted by JamieBeeston.
Published 10:25, Mon 17 Feb 2014.
Viewed 127 times.
Remember that wave of fraudulent attacks sweeping the Bitcoin exchanges? It’s still going on, and this time the attackers pilfered an estimated $2.6 million worth of bitcoins from Silk Road 2, the second incarnation of the venerable online drugs-and-hitmen marketplace.

In a “I am sweating as I write this” message to the platform’s denizens, Silk Road admin Defcon conceded that everyone’s cash was gone. “I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported,” he sweated. So much for escrow.

On Thursday "Defcon," one of the anonymous administrators of the Silk Road, declared ominously: "We have been hacked." (The message was later reposted in full to reddit.)
According to rough estimates by Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, California, the exploit has resulted in the site losing approximately 4,400 bitcoins, presently worth around $2.6 million, that were taken from Silk Road’s escrow account.

Weaver told Ars that he came up with that figure by writing a script that looked at all the published Bitcoin wallet addresses and transaction IDs (TXID) that Defcon published, and added up the total value.

As Defcon wrote:

Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.

Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as "transaction malleability" to repeatedly withdraw coins from our system until it was completely empty.

Despite our hardening and pen-testing procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.
A feature and a bug?

While this vulnerability has been long known since 2011, it has only recently become a notable threat to Bitcoin exchanges and sites like Silk Road that have large shared pools of transactions.
"I think that it’s not a vulnerability in Bitcoin, it’s an interaction between a mal feature in Bitcoin and how people have implemented withdrawal systems in Bitcoin," Nicholas Weaver told the Ars.

"They have a model where when you do a withdrawal it monitors the blockchain and if it doesn’t go through after a certain time it tries again. Rather than looking for the contents of the transaction it looks for the transaction ID. What the person does is they see the transaction posted and modified it slightly so the ID is different, and they broadcast that widely. They’re not fake transactions. It’s broadcasting a version of the same transactions but with a different transaction ID number. Otherwise they are identical."

"It’s the accounting system that effectively has a bug in it. Part of the reason that the transaction ID is not protected by the signature is so I could say pay 100 bitcoins to this address, and other people can add in. That’s the reason why transaction ID are not cryptographically protected. It is a feature, not necessarily a bug. I have no idea [why it’s accelerated now], apart from attacker imagination," Weaver added. "A week ago nobody thought, 'The accounting IDs may be busted, I should try changing transaction IDs and seeing if it works.' [The way to fix this is] to have automated accounting systems look to transactions not the transactions ID, then you can prevent this problem."
Source Link: gigaom.com
Comments on this
  • Pure BS... Either this SR2 site is run by utter buffoons that have no idea how to write even semi decent code or someone has used this FUD (MtGox attempt at staving off insolvency by blaming bitcoin for their own inadequacies) as cover to effectively steal all the BTC they held in their wallet. Certainly not the end of bitcoin, but perhaps the start of people taking better care of their bitcoins and avoiding sending them to anonymous 3rd parties that will only ever rip them off. Or then again, perhaps not.. idiots usually continue being idiots I guess.
    ••• Mark Castle •••
    16:23, Mon 17 Feb 2014
  • It's a real issue but I thought the timeline was SR2 was the first attack attempt before it hit MtGox. When MtGox hit, they stopped all withdrawals of Bitcoin to prevent the exploit working. The unfortunate side-effect is that it helped precipitated the biggest sell-off in Bitcoin's history.

    www.openitc.co.uk - We create, we host, we connect - Fully Managed VPS & Dedicated Hosting
    17:46, Tue 18 Feb 2014
  • Suggested further reading: http://spectrum.ieee.org/tech-talk/computing/networks/what-you-need-to-know-about-mt-gox-and-the-bitcoin-software-flaw

    I stand by what I said about you've got to have been an idiot to have allowed this issue to let all bitcoins drain away from your service without even basic checks and balances.... or more likely you stole the coins yourself and walked away with a big wedge of customers bitcoins - the latter is more likely I would suggest where SR2 is concerned.

    As for Gox.. well... lets all see come Thursday then shall we... could well be meltdown day if the re-enable withdrawals. I guess it will be with very big restrictions to avoid a "run"
    ••• Mark Castle •••
    18:03, Tue 18 Feb 2014
  • I'm not arguing against any of your points - I agree, you'd have to be pretty stupid to be paying out without checks and balances in place.

    As for whether fraud was the real reason for SR2, I'm not so sure. I can imagine the person who set it up was either going to make a long term investment out of it or they had planned to defraud everyone from the start so the exploit was just a convenience.

    www.openitc.co.uk - We create, we host, we connect - Fully Managed VPS & Dedicated Hosting
    23:26, Tue 18 Feb 2014
  • Well, this is not a 'new flaw' but a well known issue, and any organisation relying on TXID's (or anything potentially reusable/resendable) for handling a 3rd-parties' money is clearly deliberately negligent.

    As to whether SR2 really has been 'done' or as is more-often the case in Anonymous Bitcoin services, simply 'done-a-runner' with all the money is debatable ...

    The coinlenders 'hack' was simple theft by the operator
    The inputs.io 'hack' was theft by the operator
    And dozens of others on bitcointalk claiming 'hack' have all just been theft by the operators
    This SR2 issue sounds like more-of-the-same

    Whether anyone who lost out learns to look after their cash better remains to be seen, as all the evidence points to Darwin being incorrect !
    02:26, Wed 19 Feb 2014
  • Post a comment on this
    Please login in order to use this feature.
    Please login to view the full contents of this page.
    If you don't have an account you can;
    Register one here.
    Posted by

    Don't miss:

    Five keys to choose a cloud computing provider
    There are many companies who have chosen to make the leap to the cloud. In fact, according to a Internet survey report more companies used cloud computing in order to improve their productivity. However, before addressing this new IT delivery model it is essential for companies to make an analysis of the main Cloud computing service providers of the market. First, companies should consider one thing before establishing any relationship, without trust it is impossible to establish a good working relationship. However, there are more aspects that need to be fixed before signing an agreement on cloud computing.
    Rural broadband maps criticised for lacking detail
    The government and BT are under fresh attack for the way the rollout of the UK's rural broadband is being handled.
    After nine years, the Million Dollar homepage is 22% dead
    The Million Dollar Homepage was a phenomenon in 2005, but almost a decade on, it stands as a monument to the fragility of the internet: over one-fifth of the links on the site are dead.
    GitHub Founder Suspended over Harassment Claims
    Last Friday, Julie Ann Horvath dramatically quit over allegations of harassment by leadership at GitHub over the last two years. GitHub is a developer platform that allows users to share code. The website is based on Git, the version control software created by Linux hacker and founder, Linus Torvalds. Until Friday, Julie was a developer at the company.
    Samsung Galaxy Remote Backdoor Discovered
    The developers at Replicant (an Open Source project aimed at replacing all proprietary components within Android OS) has discovered a remote back door in the Samsung Galaxy series of mobile devices and the Nexus S. The backdoor is only present in the proprietary version of Android bundled with the Samsung devices. So far, investigations reveal that the backdoor is relatively benign despite having read and write access to sensitive areas of the filesystem.
    Intel to Make Monster 800Gbps Cables
    No, not gold-plated Monster cables but monster 800Gbps cables! It looks like Intel is forging ahead with it's plans to disaggregate rack server infrastructure. Intel will be launching these new MXC cables in the later half of the year. Each cable bundles up to 64, simplex fibres to aggregate 1.6TB of bandwidth and can transmit up to 300 metres without repeaters.
    Cambridge University - No More Password Leaks
    Those smart folks working at Security Research in the University of Cambridge Computer Labs have developed a hardware device which promises to protect you from password leaks. That's a big promise so does it stack up?
    Energy windfall for data centres
    Energy harvesting has been an ideology for some time. With recent developments, we will soon see solutions being tested that will deliver significant changes in the way data centres are run
    Web.com acquires SnapNames domain names drop-catch/auction service
    Web.com acquired SnapNames on 3/March/2014, and continues partnership with NameJet domain name auction platform from Rightside (the domain name services spinoff from Demand Media)
    Raspberry Pi Foundation Offers $10K Bounty for GPU Driver Port
    With over 100,000 units sold on the first day of sales and over 2 million sold by the end of 2014, the Raspberry Pi has been an incredible success. The Raspberry Pi Foundation, set up as a charitable organisation in 2008, has a mission statement to "promote the study of computer science and related topics, especially at school level, and to put the fun back into learning computing." and despite it's success, not everyone's happy.
    Geo Network - Where Fibre Meets Your Fibre
    Getting physically connected between locations has always been expensive and time consuming due to negotiating rights of way and the actual laying of the physical cable. Chris Smedley, CEO of Geo Networks has decided to team up with Thames Water for a quicker and more efficient way of laying fibre. The London sewerage system.
    US TSA Employing Psycics to Find Passengers With Bitcoins
    Two airport security personel stopped Davi Barker at a US airport, claiming to have 'seen bitcoins' in his bag. Clearly a new form of modern day magic as bitcoins are a virtual currency !
    Dynamic kernel patching from Red Hat
    Red Hat show off their work on dynamic kernel patching which allows kernel upgrades without rebooting your system
    Microsoft now the largest Windows host
    Microsoft's Windows Azure cloud platform has helped it to surpass Amazon as the largest Windows host
    Docklands Harbour Exchange bought in 37 million deal
    A £37million deal was announced on Monday morning for the three building development near South Quay on the Isle of Dogs. It was previously owned by Land Securities Group.
    Nominet Selected to Provide Emergency Backup Registry Services
    In the (increasingly likely) event that one of the newGTLD operators goes t1tsup, transfer of the TLD to an Emergency Operator comes into force. Nominet officially selected as one of the EBERO's
    New Silk Road hit with $2.6 million heist due to known Bitcoin flaw
    "Transaction malleability," which worried Mt. Gox and Bitstamp, strikes again. Not only are Bitcoin trading sites like Bitstamp and Mt. Gox susceptible to the recent accleration of the "transaction malleability" problem, but apparently the Silk Road—or at least its newest incarnation—is too. Is this the end for Bitcoin as we know it?
    Hackers now filming their remote victims
    Cyber-thieves are increasingly grabbing video of how victims use their computer, to better steal from online bank accounts, a security firm reveals.
    Finalists announced for the first UK Cloud Awards
    The shortlist of finalists for the UK Cloud Awards 2014 have been announced, the new awards organised by the Cloud Industry Forum (CIF), Cloud Pro and techUK. There will be 15 awards across 2 categories, projects and products. In the products category, there is a wide variety of new and established businesses from startups to major international corporations. The winners will be announced at ceremony to be held at City Hall on 26th February, 2014.
    Largest Ever DDoS Cyber Attack Hits US and European Victims
    Multiple reports suggest the largest ever DDoS attack - peaking at 400Gbps - has hit targets in the US and Europe though who is behind the attack, and who the victims were remains a mystery.
    Tech Billionaires Made Up 75% Of 2013′s Most Philanthropic People Under 50
    Tech Billionaires Made Up 75% Of 2013′s Most Philanthropic People Under 50 with Zuckerberg giving away nearly $1bn.
    AMD and ARM working together for server CPUs
    AMD has worked with ARM to lower the energy requirements for data centre servers. Power usage is one of the most important aspects of servers today.
    Icelanders to enjoy virtual cash giveaway
    Following the hype and furore around the various virtual currencies being released on a seemingly daily basis, for the first time an entire nation is to be given some virtual currency.
    KNCMiner building Arctic Circle DataCentre for Bitcoin Mining
    KNC Miner (a Swedish Company) are using the 'pre-order' funds they have accumulated from over 4000 orders of a $12000 BitCoin Mining device to build a 10MW datacentre in The Node Pole region, near the Arctic Circle in Sweden.
    DDoS : Who watches the watchmen?
    Recent revelations from more leaked Snowden files show GCHQ has been using hackers own techniques against them and DDoSing their chatrooms and even using crafted BBC articles to scrape data to help identify users.
    .uk domain names to launch on June 10th
    Nominet are cashing in on the new gTLD hype with shorter .uk domains available to register from June 10th 2014
    AWS now the most popular host
    Amazon Web Services hosts more web sites from the top 100,000 domains than any other host according to data provided by Alexa
    PayPal and eBay websites hijacked
    The Syrian Electronic Army are claiming responsibility for hijacking the paypal.co.uk and ebay.co.uk web sites.
    GoDaddy security blunder
    A security blunder by domain registrar GoDaddy has cost a Twitter user their $50k one character handle thanks to some basic social engineering.
    Telehouse opens a new 1000 square meter co-location floor in London
    Telehouse who have long been a leading provider of data centre space has opened the final phased floor with 1000 sq.meters of available co-location space at Telehouse West.
    .Scot wait is over new top level domain for Scotland
    Congratulations Scotland, they have finally been awarded the dot Scot TLD, unfortunately there is no news on .haggis yet.
    Rackspace has lift off for ObjectRocket in the UK
    Rackspace has launched OBJECTROCKET in the UK and releases NoSQL Database-as-a-Service (DBaaS) in it's London data centres.
    Infinity SDC has opened a new flagship data centre
    Brand new Slough based data centre has been opened by Infinity with a respectable PUE of just 1.25. It will offer much needed new data centre space in the Thames Valley area.
    Ministry of Justice signs deal with Ark for Data Centre solution
    Ark claims to provide the most power efficient data centre solutions to lower the running costs with PUE scores as low as 1.08.
    What is a cloud? Not many end users have a clue
    While the companies supplying "cloud" services should know what they are selling, it is quite clear that most customers really don't have a clue what it means, or even if it's fluffy.
    Zapp plans to take on PayPal for Mobile payments
    The mobile payments brand Zapp is planning to squeeze in beside PayPal by investing tens of millions in to it's launch.
    Should all hosting companies accept PayPal
    As more and more people have PayPal accounts, is it important to accept PayPal as a payment method? Or are the risks and costs not worth it.
    Googles Chrome web browser could be keeping an eye on you
    An Israeli web developer says that Google's web browser could be spying on you. Google dismisses the allegation of eavesdropping threat.
    The internet is a gift from god according to the Pope
    Pope Francis clearly loves the web, and has called the internet a "gift from god". And that it is able to bring people together more easily.
    2014's web hosting company problems to keep an eye on
    2014 should see the ever growing web continue to expand at a rate yet again even faster than before. More and more companies will continue to utilise the web's advantages, and with that there will come new challenges for hosting companies.