Request: Bitwasp-using markets?

For an analysis of risk factors I'm working on, I'm including using Bitwasp as a factor. I'm having trouble finding a full list of black-markets which used Bitwasp and would appreciate mention of ones I've missed. So far, I believe the following used Bitwasp:

That still leaves as possibilities the rest of the marketplaces.

EDIT: adding to Bitwasp list:


Comments


[2 Points] the_avid:

It is impossible to understate just how poor BitWasp is. I black-box tested a DNM that I didn't know was running BitWasp and found an SQL Injection bug in around 5 minutes (around ~50 requests in).

It was only when someone else pointed out that it was running BitWasp that I then discovered this project and discovered that the source code contained this bug - and there were a lot of markets running the same code.

I scrubbed all reference to BitWasp, because I didn't want anybody else knowing there was a bug and then digging into the code and hacking live sites - but the bug became public via deepdotweb and the BitWasp developers did an interview where they emphasized that BitWasp is development software - not to be used on 'real' sites.

I emailed them right away to get in touch, emailed again on the 30th of March and then again (after getting an angry comment response here on reddit, not in email) on the 16th of April. Just sent another email today as another last-resort bug reporting attempt, still no reply.

I had heard about BitWasp at the time of discovering the bug but had never looked at the code because I didn't know how many sites were running it live. The problem is at the core of the code. With the first bug I found I went into the source code and found that the exact same thing was happening in two other parts of the code base. So that is 3 bugs, all found in ~20 minutes, all give you full access to the remote database, none have been fixed (nor email acknowledged).

Warning in short is: stay away, even with multisig and whatever else, stay away. A list of sites running BitWasp would be a useful tool for the community here as a list of sites that one should not use.

Can add that Agora does not use BitWasp, neither does SR2. If you know the framework that BitWasp uses and the problems it has you'd know that it can be simple to test if a market is either using BitWasp or using the same framework (which is a large part of the problem).


[2 Points] gwern:

I asked DeepDotWeb as well, and he suggested Tormarket and Underground Market.


[1 Points] sharpshooter789:

I don't think BMR or Atlantis used bitswap. I don't even think it was around then. I don't think sheep used it either for the same reason, I'm just less certain.


[1 Points] doublemintt:

Blue Sky is good to go?


[1 Points] messwidme:

I can confirm on the ones you already have.

Hydra Evolution Tor Bazaar Underground MP Red Sun Hansa FloMarket Mr.NG DodgeRoad TorMarket

BW being an opensource project its bound to be used more then any other code with DNMs forking their own codes to it, but at least the developments is in the right direction with integration of multi-sig and pgg encryption of user data, orders etc. Even BMR was built around source codes download from phpcoin.

IMO though I think I'd rather have you research on how much safer are standard escrow markets wrt to those using multi-sig. SE markets time and again have pulled a sheep and these markets deserve to have a warning next to them as at any one point of time they could potentially scam all their users of their coins.


[0 Points] avoid_bitwasp:

I went ONLY to the markets listed on the right side bar of this reddit as of today plus 1776 and Pigeon markets, to verify who is using Bitwasp.

As an initial verification you may just look for Codeigniter tokens in the html source code, Codeigniter is a third-party framework that is used by Bitwasp and represent a high security risk by itself as it is a COMMERCIAL PRODUCT FROM AN AMERICAN COMPANY.

Sometimes the market site is modified to not match exactly like Bitwasp so you may have to go deeper in the investigation even if you find Codeigniter or not.

Here is the list of those i could make sure are using Bitwasp :

The following sites could not be verified cause they were offline: