February 14, 2014
Known Bitcoin Flaw Results In $2.6M Stolen From New Silk Road Site
Enid Burns for redOrbit.com - Your Universe Online
Online black market site Silk Road and Bitcoin have a tenuous relationship at best. Silk Road accepts payments via the virtual currency Bitcoin and now the new Silk Road has been hacked, and approximately 4,400 bitcoins worth roughly $2.6 million were taken from site's escrow account.News of the heist was posted by "Defcon," an anonymous administrator of Silk Road on Thursday, Ars Technica reports. The full message, titled "SR has been HACKED!," was posted on Reddit.
In his message, Defcon assures the community that personal information of the community of users remains safe. "Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker," the post said. "Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as 'transaction malleability" to repeatedly withdraw coins from our system until it was completely empty."
Two similar attacks occurred earlier in the week, BBC News reports.
So called "transaction malleability" is documented on the Bitcoin wiki.
While transactions are signed, the signature does not currently cover all the data in a transaction that is hashed to create the transaction hash. Thus, while uncommon, it is possible for a node on the network to change a transaction you send in such a way that the hash is invalidated. Note that this just changes the hash, the output of the transaction remains the same and the bitcoins will go to their intended recipient.
However this does mean that, for instance, it is not safe to accept a chain of unconfirmed transactions under any circumstance because the later transactions will depend on the hashes of the previous transactions and those hashes can be changed until they are confirmed in a block (and potentially even after a confirmation if the block chain is reorganized). In addition clients must always actively scan for transactions to them; assuming a txout exists because the client created it previously is unsafe.
The post informing the community about the hacking included the publishing of the Bitcoin wallet addresses and transaction IDs (TXID) for Silk Road.
Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, California, was able to run a script based on the posted TXIDs to come up with the 4,400 bitcoin estimate, Ars Technica reports. Though the actual number is still being debated on Twitter.
Transaction malleability has been a concern for bitcoin trading sites including Mt. Gox and Bitstamp.
Silk Road is known as a black market website accessed through Tor, which allows users to browse anonymously. It is also known for its sale and trade of illegal narcotics. The original site was shut down in October, but has since been resurrected in one form or another. Over time the site has also shifted to a reliance on bitcoins and has been known to conduct gambling on its site for payment in bitcoins.