Bitcoin Forum
November 09, 2024, 01:50:24 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: silk road 2 hacked  (Read 4636 times)
404notfound (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 13, 2014, 08:11:38 PM
 #1

How badly will this effect the price?

http://www.reddit.com/r/Bitcoin/comments/1xtsrq/silk_road_got_hacked_all_funds_stolen_cheap_coins/

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I am sweating as I write this.

Christmas brought grave news. I cannot adequately express how deeply honored I was by your unconditional support of my staff.

I do not expect the same reaction to today's revelations. This movement is built on integrity, and I feel obligated to be forthright with you.

I held myself to a high standard as your leader, yet now I must utter words all too familiar to this scarred community:

We have been hacked.

Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.

Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as "transaction malleability" to repeatedly withdraw coins from our system until it was completely empty.

Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.

This attack hit us at the worst possible time. We were planning on re-launching the new auto-finalize and Dispute Center this past weekend, and our projections of order finalization volume indicated that we would need the community's full balance in hot storage.

In retrospect this was incredibly foolish, and I take full responsibility for this decision.

I have failed you as a leader, and am completely devastated by today's discoveries. I should have taken MtGox and Bitstamp's lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand. It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.

I've included transaction logs at the bottom of this message. Review the vendor's dishonest actions and use whatever means you deem necessary to bring this person to justice. More details will emerge as we continue to investigate.

Given the right flavor of influence from our community, we can only hope that he will decide to return the coins with integrity as opposed to hiding like a coward.

It takes the integrity of all of us to push this movement forward. Whoever you are, you still have a chance to act in the interest of helping this community. Keep a percentage, return the rest. Don't walk away with your fellow freedom fighters' coins. DPR2 returned the cold storage. I didn't run with the gold. But two people alone cannot move us forward. It takes an entire community committing to integrity - and though this crushing blow will not stop us, it sure is a testament to how greedy some bastards truly are.

Being a part of this movement might be the most defining thing you do with your entire life.

Don't trade that for greed, comrades.

I will fight here by your side, even the greedy bastards amongst us.

This community has suffered great financial loss over and over again, and I am devastated that it has happened again under my watch.

Hindsight is already suggesting dozens of ways this could have been prevented, but we must march onward.

The only way to reverse a community's greed is through generosity. Our true character is revealed during trying times.

If this financial hardship places you at risk of physical harm, contact me directly and I will do my best to help you with my remaining personal funds.

Now what.

Never again store your escrow bitcoins on a server.

Silk Road will never again be a centralized escrow storage.

This week has shown the collateral damage we can cause by being a huge target and failing in just one unforeseen area.

I am now fully convinced that no hosted escrow service is safe.

If I cannot trust myself to keep a hosted escrow solution safe, I cannot trust anyone.

Multi-signature transactions are the only way this community will be protected long-term.

I am aggressively tasking our devs on building out multi-sig support for commonly-used bitcoin clients. Expect a generous bounty if you have the skill to implement this.

Until then.

    We will never again allow ourselves to be a single point of failure. We will never again host your Escrow wallets.

    Vendor registration is closed while we regroup.

    All listings on Silk Road are now No-Escrow (Finalize-Early) for 1-2 months while we implement multi-signature transactions and lobby for mainstream Bitcoin client multi-sig support.

    All unshipped orders have been cancelled.

    Vendors may link to other marketplaces on a trail basis until we launch multi-sig, then we will re-evaluate based on community input. We do not want to be a centralized point of failure, but we also do not want to lead our buyers into dangerous waters.

    From this point forward DO NOT trust markets with centralized escrow. Use multi-signature transactions whenever possible, with trusted third parties as escrow providers.

Everything will be offline for 24-48 hours to minimize variables as we continue to investigate. The evidence we have below will be expanded based on our findings.

No marketplace is perfect. Expect any centralized market to fail at some point. This is precisely why we must unite in the decision to decentralize.

We are relieved that our security procedures protected user identities, and that no servers were compromised. This was not a worst-case scenario: nobody will be getting arrested from this. Financial loss is terrible, but will not put all of us behind bars.

The details we have on the hacker are below. Stop at nothing to bring this person to your own definition of justice.

Humbled and furious,

Defcon
seleme
Legendary
*
Offline Offline

Activity: 2772
Merit: 1028


Duelbits.com


View Profile WWW
February 13, 2014, 08:14:16 PM
 #2

Oh yeah, let's use malleability problem we never heard of before to steal your coins Cheesy

We might hear few of these more.

       ███████████████▄▄
    ██████████████████████▄
  ██████████████████████████▄
 ███████   ▀████████▀   ████▄
██████████    █▀  ▀    ██████▄
███████████▄▄▀  ██  ▀▄▄████████
███████████          █████████
███████████▀▀▄  ██  ▄▀▀████████
██████████▀   ▀▄  ▄▀   ▀██████▀
 ███████  ▄██▄████▄█▄  █████▀
  ██████████████████████████▀
    ██████████████████████▀
       ███████████████▀▀
.
.Duelbits.
.
..THE MOST REWARDING CASINO......
   ▄▄▄▄████▀███▄▄▄▄▄
▄███▄▀▄██▄   ▄██▄▀▄███▄
████▄█▄███▄█▄███▄█▄████
███████████████████████   ▄██▄
██     ██     ██     ██   ▀██▀
██ ▀▀█ ██ ▀▀█ ██ ▀▀█ ██    ██
██  █  ██  █  ██  █  ██
█▌  ██
██     ██     ██     ████  ██
█████████████████████████  ██
████████████████████████████▀
█████████████████████████
█████████████████████████
████████████████████████▌
       +4,000      
PROVABLY FAIR
GAMES
   $500,000  
MONTHLY
PRIZE POOL
      $10,000     
BLACKJACK
GIVEAWAY
njcarlos
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250


View Profile
February 13, 2014, 08:15:44 PM
 #3

So, what happened to everyone spitting on Gox when they first blamed the protocol? Maybe I'm wrong but it seems like they've done quite the service for spotlighting this issue.
404notfound (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 13, 2014, 08:18:54 PM
 #4

I don't really think malleability problem got  the coins stolen. I think there was either some other exploit on the site or the admin stole them. He could then post the information of a vendor that caused him problems and it'd be win win for the admin.

Quote
So, what happened to everyone spitting on Gox when they first blamed the protocol? Maybe I'm wrong but it seems like they've done quite the service for spotlighting this issue.

Mtgox is the only exchange so far that would have double spent bitcoins due their poor wallet coding not waiting for confirmations before withdrawing users funds. Basically mtgox was withdrawing and depositing imaginary bitcoins.
Ibian
Legendary
*
Offline Offline

Activity: 2268
Merit: 1278



View Profile
February 13, 2014, 08:21:46 PM
 #5

The guys a fraud. This is not a vulnerability and probably not even a bug, it's just part of the protocol that certain kinds of people were too lazy/incompetent to account for and which scammers use to claim they "lost" coins they were holding. Non-issue.

Look inside yourself, and you will see that you are the bubble.
efarah2549
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
February 13, 2014, 08:24:12 PM
 #6

Reminds me of Sheep Marketplace's initial reaction to their 'hack'
Dalmar
Hero Member
*****
Offline Offline

Activity: 1106
Merit: 500

Life is short, practice empathy in your life


View Profile
February 13, 2014, 08:24:16 PM
 #7

How many coins were roughly stolen? Any estimates? Retards might dump via market sell on exchange.


▄▄▄▄▄▄▄▄▄▄▄
▄▄████████████████▄
▄▄██████████████████████▄
 █████████████▀█████████████▄
▄█████████████▀ ▄█▀ ███████████
▄██████████      ▀▀  ████████████
▄█████████████   ▄▄▄   ▀▀██████████
█████████████▀   ████▄   ▀█████████▄
█████████████    ▀▀█▀▀   ▄██████████
████████████▀   ▄▄      ████████████
████████████   ▄████▄    ███████████
█████████      ██████    ██████████
█████████▄▄            ▄██████████
▀██████████  ██  ▄▄▄▄████████████
▀█████████▄▄█▄ ███████████████▀
▀██████████████████████████▀
▀█████████████████████▀
▀▀██████████████▀▀
▀▀▀▀▀▀▀

B i t c o i n t a l k   ▄▄▄▄▄

DONATION CAMPAIGN

                                     ▄
                                   ▄██
               ▄▄▄▄▄▄▄           ▄███
             ▄█████████▄        ████
▄▄▄         ▄████████████     ▄████▀
 ▀██▄▄      █████████████   ▄█████▀
  ▀█████▄   █████████████  ▄██████
    ▀█████▄  ███████████▀▄███████
     ▀██████▄▄▀▀██████▀ ████████▀
       ████████▄      ▄████████▀
        █████████▄  ▄██████████
         █████████████████████
          ████████████████████
          ███████████████████
          ███████████████████
          ██████████████▀▀▀
          ███████▀▀▀▀
          ▀▀▀▀

BE A HOPE
FOR A LIVABLE WORLD
▄▄▄█████████▄▄▄
▄▄███████████████████▄▄
▄▄█████████████████████████▄▄
▄███████████████████████████████▄
▄█████████████████████████████████▄
████████████▀▀▀▀▀██████▀▀▀▀██████████
███████████▀       ▀█▀       ▀█████████
███████████▀                    █████████
███████████                     █████████
█████████████                   ███████████
██████████████▄               ▄████████████
████████████████▄▄▄         ▄█▀▀   ████████
███████████▀▀     ▀▀█▄▄▄▄▄▄██     ▄████████
██████▀█▄                ▀▀▀█▄ ▄█████████
██████▄ █▄          ▄▄▄▄▄▄▄▀▀▄███████████
██████▄ ▀█                ▄████████████
██████▄  ██████▄▄▄    ▄██████████████
▀██████▄██████████████████████████▀
▀███████████████████████████████▀
▀▀█████████████████████████▀▀
▀▀███████████████████▀▀
▀▀▀█████████▀▀▀

ONE

little

HELP CHANGES
EVERYTHING

..DONATE..
404notfound (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 13, 2014, 08:26:24 PM
 #8

He said the wallet was completely drained so all of them. It's probably in the 1000s would be my guess.
Torque
Legendary
*
Offline Offline

Activity: 3738
Merit: 5337



View Profile
February 13, 2014, 08:26:59 PM
 #9

I agree, this guy is using FUD to rip people off.  So we're still thinking that bitcoin exchanges and their operators don't need to adhere to some level of oversight regulation and audit?   Roll Eyes
Hyena
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
February 13, 2014, 08:29:59 PM
 #10

wait a second - how the hell would this vulnerability allow withdrawing unlimited amount of bitcoins?

if you withdraw coins and dupe the TX with a wrong hash you are not getting double coins in any way and why would a marketplace then refund the customer? it doesn't make any sense.

if you deposit coins and dupe the TX with a wrong hash then you may see "unconfirmed" coins under your balance that will never get any confirmations.

explain me if I misunderstand anything here

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
traderCJ
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250


View Profile
February 13, 2014, 08:32:30 PM
 #11

wait a second - how the hell would this vulnerability allow withdrawing unlimited amount of bitcoins?

if you withdraw coins and dupe the TX with a wrong hash you are not getting double coins in any way and why would a marketplace then refund the customer? it doesn't make any sense.

if you deposit coins and dupe the TX with a wrong hash then you may see "unconfirmed" coins under your balance that will never get any confirmations.

explain me if I misunderstand anything here

The guy could be a fraud.  Or the site was legitimately hacked.  Or .. there is another protocol weakness resulting in missing coins on exchanges/retailers that people are misattributing to tx malleability.
Rawted
Hero Member
*****
Offline Offline

Activity: 742
Merit: 500



View Profile
February 13, 2014, 08:32:47 PM
 #12

wait a second - how the hell would this vulnerability allow withdrawing unlimited amount of bitcoins?

if you withdraw coins and dupe the TX with a wrong hash you are not getting double coins in any way and why would a marketplace then refund the customer? it doesn't make any sense.

if you deposit coins and dupe the TX with a wrong hash then you may see "unconfirmed" coins under your balance that will never get any confirmations.

explain me if I misunderstand anything here
I'm guessing it happened with mutating the tx ids.

User requests withdrawal
Wallet sends funds, user mutates tx
wallet checks tx, cant find it, resends funds or credits user's account.
rinse/repeat

Just a guess, no clue how viable that really would be.
Ibian
Legendary
*
Offline Offline

Activity: 2268
Merit: 1278



View Profile
February 13, 2014, 08:32:57 PM
 #13

Most people are not tech savvy. They see "flaw in bitcoin!" in the news or hear it from their friends, and scammers like this SR guy use that as a pretext to steal peoples coins, hoping to get away with it.

Look inside yourself, and you will see that you are the bubble.
humanitee
Hero Member
*****
Offline Offline

Activity: 1302
Merit: 502



View Profile
February 13, 2014, 08:34:14 PM
 #14

wait a second - how the hell would this vulnerability allow withdrawing unlimited amount of bitcoins?

if you withdraw coins and dupe the TX with a wrong hash you are not getting double coins in any way and why would a marketplace then refund the customer? it doesn't make any sense.

if you deposit coins and dupe the TX with a wrong hash then you may see "unconfirmed" coins under your balance that will never get any confirmations.

explain me if I misunderstand anything here
I'm guessing it happened with mutating the tx ids.

User requests withdrawal
Wallet sends funds, user mutates tx
wallet checks tx, cant find it, resends funds or credits user's account.
rinse/repeat

Just a guess, no clue how viable that really would be.

This.

▄▄▄██████▄▄▄
▄███▀▀▀▀▀████▄▄ █▄▄
▄▄          ▀▀████▄  ██▄
█████▄            ▀█████  ██▄
▄█████████           ▀█████ ███▄
▄█████████▀▀           ▀█████ ███▄
▄███  █████             ▀█████ ████
███  █████                █████ ████
███ █████                  ████  ████
███ █████                ▄████  ████
███ █████                ███████████
▀██ █████▄                █████████
▀██ ██████▄                ▀█████
▀██ ███████                  ▀▀▀
▀██ ██████▄▄                 
▀██ ██████▄▄▄▄▄▄▄▄▄▄▄▄███▀
▀▀ █████████████████▀
▀▀▀██████▀▀▀▀

Fast, Secure, and Fully

DecentralizeTrading
BACKED BY:
─────────────────────────
BINANCE
─────── LAB
&█████████████████████████████████ █  ███
█▀    ▀█  ███▀▀▀▀▀████████  ████▀▀███▀ █
█  █████    ▄▄▄▄▄  █  ▀  █    ███  █  ██
█▄    ▀█  ██       █  ▄███  ██████   ███
█████  █  ██  ███  █  ████  ████  ▄  ███
█▄    ▄█▄  ▄█▄     ▀  ████▄  ▄█   ██  ██
████████████████████████████████████████


  Whitepaper
 Medium
Reddit
Mythul
Sr. Member
****
Offline Offline

Activity: 644
Merit: 250


View Profile
February 13, 2014, 08:36:24 PM
 #15

What if Mt.Gox also has no coins ? Maybe that guy just stole all the coins and wants to get out.
404notfound (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 13, 2014, 08:37:59 PM
 #16

wait a second - how the hell would this vulnerability allow withdrawing unlimited amount of bitcoins?

if you withdraw coins and dupe the TX with a wrong hash you are not getting double coins in any way and why would a marketplace then refund the customer? it doesn't make any sense.

if you deposit coins and dupe the TX with a wrong hash then you may see "unconfirmed" coins under your balance that will never get any confirmations.

explain me if I misunderstand anything here

It wouldn't. However in mtgox's case they had their wallet set to auto approve these requests and were just giving people bitcoins out of their hot wallet that they didn't own. Basically they were giving people attempting to fraud them other people's bitcoins.
BldSwtTrs
Legendary
*
Offline Offline

Activity: 861
Merit: 1010


View Profile
February 13, 2014, 08:40:08 PM
 #17

Reddit users speak about 88,000 coins. Seems serious money got hacked.

http://www.reddit.com/r/Bitcoin/comments/1xtv92/breaking_silk_road_2_hacked_over_88000_bitcoins/
njcarlos
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250


View Profile
February 13, 2014, 08:40:43 PM
 #18

Wow...
Dalmar
Hero Member
*****
Offline Offline

Activity: 1106
Merit: 500

Life is short, practice empathy in your life


View Profile
February 13, 2014, 08:41:56 PM
 #19

Reddit users speak about 88000 coins. Seems serious money got hacked.

http://www.reddit.com/r/Bitcoin/comments/1xtv92/breaking_silk_road_2_hacked_over_88000_bitcoins/

Shocked

SELL ALL YOUR COINS PEOPLE


▄▄▄▄▄▄▄▄▄▄▄
▄▄████████████████▄
▄▄██████████████████████▄
 █████████████▀█████████████▄
▄█████████████▀ ▄█▀ ███████████
▄██████████      ▀▀  ████████████
▄█████████████   ▄▄▄   ▀▀██████████
█████████████▀   ████▄   ▀█████████▄
█████████████    ▀▀█▀▀   ▄██████████
████████████▀   ▄▄      ████████████
████████████   ▄████▄    ███████████
█████████      ██████    ██████████
█████████▄▄            ▄██████████
▀██████████  ██  ▄▄▄▄████████████
▀█████████▄▄█▄ ███████████████▀
▀██████████████████████████▀
▀█████████████████████▀
▀▀██████████████▀▀
▀▀▀▀▀▀▀

B i t c o i n t a l k   ▄▄▄▄▄

DONATION CAMPAIGN

                                     ▄
                                   ▄██
               ▄▄▄▄▄▄▄           ▄███
             ▄█████████▄        ████
▄▄▄         ▄████████████     ▄████▀
 ▀██▄▄      █████████████   ▄█████▀
  ▀█████▄   █████████████  ▄██████
    ▀█████▄  ███████████▀▄███████
     ▀██████▄▄▀▀██████▀ ████████▀
       ████████▄      ▄████████▀
        █████████▄  ▄██████████
         █████████████████████
          ████████████████████
          ███████████████████
          ███████████████████
          ██████████████▀▀▀
          ███████▀▀▀▀
          ▀▀▀▀

BE A HOPE
FOR A LIVABLE WORLD
▄▄▄█████████▄▄▄
▄▄███████████████████▄▄
▄▄█████████████████████████▄▄
▄███████████████████████████████▄
▄█████████████████████████████████▄
████████████▀▀▀▀▀██████▀▀▀▀██████████
███████████▀       ▀█▀       ▀█████████
███████████▀                    █████████
███████████                     █████████
█████████████                   ███████████
██████████████▄               ▄████████████
████████████████▄▄▄         ▄█▀▀   ████████
███████████▀▀     ▀▀█▄▄▄▄▄▄██     ▄████████
██████▀█▄                ▀▀▀█▄ ▄█████████
██████▄ █▄          ▄▄▄▄▄▄▄▀▀▄███████████
██████▄ ▀█                ▄████████████
██████▄  ██████▄▄▄    ▄██████████████
▀██████▄██████████████████████████▀
▀███████████████████████████████▀
▀▀█████████████████████████▀▀
▀▀███████████████████▀▀
▀▀▀█████████▀▀▀

ONE

little

HELP CHANGES
EVERYTHING

..DONATE..
chesthing
Legendary
*
Offline Offline

Activity: 1414
Merit: 1000


View Profile
February 13, 2014, 08:45:11 PM
 #20

Maybe it was Steve?
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!