OFFICIAL SECURITY BLOG
February 14, 2014 | BY Adam Kujawa
At least that is what the SR2 staff claims.
The news broke on Deep Dot Web yesterday with a copy of a forum post by the SR2 staff, informing their users that due to a “bug” in the Bitcoin protocol, attackers have managed to extract all of the funds from the sites escrow service.
An escrow service acts as a mediator between two parties making a financial transaction and is meant to ensure no one loses their funds due to a scam.
In the case of Bitcoin, when two parties want to trade, the seller sends the goods to the buyer and the buyer sends their payment to the escrow service directly, once the goods have been received and identified as legitimate by the buyer, the service releases the funds to the seller. However, while the buyer is waiting for their goods, their Bitcoins are in limbo and “technically” belong to the escrow service.
In the case where the buyer isn’t pleased with the service from the seller or if the goods were never received, they can get a refund from the escrow service, something that would not be ensured with a direct buy/sell agreement between the buyer and seller.
The staff at SR2 claimed that because of a “bug” in the Bitcoin protocol known as Transaction Malleability, a rogue vendor was able to withdraw massive amounts of BTC from the escrow service wallet.
In reality, Transaction Malleability is not failure in the Bitcoin protocol but rather the implementation of “refunds” to users coded into whatever digital wallet software the escrow service uses.
Simply put, while in the real world if a person were to approach a customer service desk with a receipt claiming that they had paid $200 for $20 shoes, the employee working the desk would check the transaction on the receipt with the internal transaction records of the establishment to ensure the purchase was legitimate.
Unfortunately for a lot of Bitcoin exchanges, checking internal records is not common place. The attack is done by requesting a withdrawal from a users online wallet and then sending back a request to the exchange or escrow that the coins had not been sent.
Usually this kind of request would be dealt with by real people , however in this case the software would automatically re-send the coins again and again and again, as many times as the attacker wanted to ask for a refund. This being done without any additional confirmation required from the complainant or from Bitcoinsblockchain that would confirm whether or not the funds had been sent.
This same kind of attack happened to the popular Bitcoin exchange MTGox earlier this week.
While the attack was described in some detail by the SR2 staff, there appears to be a few holes in their story and it isn’t selling to a large portion of users who think the attack was an inside job.
Certainly one could debate all day long any kind of hidden meaning behind the staff’s message to their users and it’s legitimacy but one thing is for sure, there would need to be a SERIOUS flaw in the SR2 escrow system to allow a flaw like Transaction Malleability to steal all of the Bitcoins.
Deep Dot Web themselves have announced that after covering the story, it’s becoming more clear to them that this ‘hack’ was in fact an inside job and that the staff of SR2 scammed their users.
In addition, they have gone to the effort of posting a very likely malicious scenario occurring in the underground marketplaces concerning possible ‘big’ vendors working together with marketplace owners to steal and scam from unsuspecting users and while not proven is certainly worth the read.
At the end of the day, this is just an additional lesson about security with online currency. If a user gives their patronage to underground illegal marketplaces to make deals with criminals, there should be a fair amount of expectation that you might get scammed. In this case it isn’t just the sellers you need to worry about but also the people running the marketplace itself.
Concerns about digital wallets, exchanges and escrow aside, there are a few services out there that are not being hurt by the transaction flaw, one them happens to be our third-party Bitcoin partner, CoinBase, so if you are using them consider yourself safe. Otherwise you could always store your coins locally and interact with trusted merchants.
Thanks for reading! Safe surfing and don’t forget to be awesome!