For an analysis of risk factors I'm working on, I'm including using Bitwasp as a factor. I'm having trouble finding a full list of black-markets which used Bitwasp and would appreciate mention of ones I've missed. So far, I believe the following used Bitwasp:
- Doge Road
- EXXTACY
- FloMarket
- Mr Nice Guy
- Red Sun
- Tor Bazaar
That still leaves as possibilities the rest of the marketplaces.
EDIT: adding to Bitwasp list:
- Hansa
- Underground Marketplace
It is impossible to understate just how poor BitWasp is. I black-box tested a DNM that I didn't know was running BitWasp and found an SQL Injection bug in around 5 minutes (around ~50 requests in).
It was only when someone else pointed out that it was running BitWasp that I then discovered this project and discovered that the source code contained this bug - and there were a lot of markets running the same code.
I scrubbed all reference to BitWasp, because I didn't want anybody else knowing there was a bug and then digging into the code and hacking live sites - but the bug became public via deepdotweb and the BitWasp developers did an interview where they emphasized that BitWasp is development software - not to be used on 'real' sites.
I emailed them right away to get in touch, emailed again on the 30th of March and then again (after getting an angry comment response here on reddit, not in email) on the 16th of April. Just sent another email today as another last-resort bug reporting attempt, still no reply.
I had heard about BitWasp at the time of discovering the bug but had never looked at the code because I didn't know how many sites were running it live. The problem is at the core of the code. With the first bug I found I went into the source code and found that the exact same thing was happening in two other parts of the code base. So that is 3 bugs, all found in ~20 minutes, all give you full access to the remote database, none have been fixed (nor email acknowledged).
Warning in short is: stay away, even with multisig and whatever else, stay away. A list of sites running BitWasp would be a useful tool for the community here as a list of sites that one should not use.
Can add that Agora does not use BitWasp, neither does SR2. If you know the framework that BitWasp uses and the problems it has you'd know that it can be simple to test if a market is either using BitWasp or using the same framework (which is a large part of the problem).