Silk Road 2 moderator Defcon reported in a forum post that hackers have used a transaction malleability exploit to hack the marketplace. The hackers stole over
88,000 4474.26 bitcoins worth $2,747,000, emptying the site’s escrow account.
UPDATE – Fixed estimate.
The site used a central escrow service to send bitcoins from buyers to sellers. The hackers exploited the transaction malleability bug – essentially a way users can mask transfers and ask for the same amount of BTC multiple times – to clean out this wallet. This is the same bug that forced Mt. Gox to halt all withdrawals and recent updates have made average bitcoin wallets secure against this sort of attack. According to the site, hackers used the Silk Road’s automatic transaction verification system to order from each other and then request refunds for unshipped goods. Hackers were able to use the transaction malleability bug because the Silk Road used only transaction ID to confirm the transfer of bitcoins. You can read more about the problem here.
They supposedly run an automated refund system for their vendors that relies on the TXID to verify transactions. Their claim is that six vendors colluded to exploit that system by ordering from one another and then submitting circular refund requests.
Defcon is calling on the hackers to return the bitcoin. “Given the right flavor of influence from our community, we can only hope that he will decide to return the coins with integrity as opposed to hiding like a coward,” the moderator wrote.
The site’s users are currently attempting to track down the thief. Writes Defcon:
News of the theft has driven the price of BTC down by about 50 points and it’s currently hovering at 600. We’ll post more information on the hack and the exploit as we get it. Defcon, for his part, is calling for further decentralization of online markets and currency.
“No marketplace is perfect. Expect any centralized market to fail at some point. This is precisely why we must unite in the decision to decentralize,” he wrote.