Hi I'm link and my day job is in software development. I have been a member of this sub for quite a few years but this is my new account solely for disclosing vulnerabilities with the markets.
I wanted to make a post to warn the community about one of the new markets about to be added to the Superlist: Horizon Market.
The main and most damaging bug I found enables the attacker to fill up their market account to any bitcoin amount chosen. They can then just use the normal withdraw feature on the market to withdraw all the bitcoin left in the market's wallets to their chosen bitcoin address. I'm not going to detail the bug anymore than that because the market has still failed to fix it; once they have fixed it, I will make another post detailing the method. This bug took perhaps 1-2 hours to find.
Proof:
I have talked with the mods and I verified it with /u/wombat2combat. I also have a screenshot here. That is 126.016BTC for the 126,016 subscribers (at time of writing) to /r/darknetmarkets
I would like to produce proof to any user interested, but giving bitcoin away that is not mine seems like a bad idea so instead I will only provide a screenshot.
Why did it happen?:
I would put it up to poor programming knowledge. The bug should not have even made it into the software. It should have been identified during the design. Even if someone forgot to point out this obvious fault in the algorithm, it would have been easily caught during testing. I have a formal education in computer science and this is taught very early (age 13-16 in my area).
In my opinion, the overall design of the market, with one central pool of bitcoin then each user only having a number in a database is not the best. (calling out you alphabay/dream). If an attacker hijacks any part of the market's bitcoin deposit/withdrawal system, they can easily take the all bitcoin. If your going with the central escrow style of market, please code it so each user has a separate bitcoin wallet. Then when it gets hacked, they can only withdraw their amount of bitcoin. (unless they are able to move the bitcoin internally within the market)
More faults with the market:
The market itself is a mine field of bugs:
- Tickets do not work. At all.
- You cannot send messages on the market with PGP because it takes out the lines, making it unreadable for GPG.
- All the amounts on the order page are confused
- All the images on the market are exposed publicly (no login required) making a ddos attack very easy
- no bitcoin addresses are verified (very easy with Bitcoin addresses, there is a built in checksum like credit cards have)
- not so much a bug but none of the multisig information is displayed anywhere on the order page
- many more simple bugs I cannot be bothered to list/remember
tl;dr
Bug on new market 'Horizon' leads to attacker being able to steal all of markets bitcoin reserve. Leading to user/vendor not being able to withdraw.