The newest incarnation of the Silk Road website has been hacked. Due to a flaw in the Bitcoin protocol, the site was robbed of 4,400 bitcoins, or roughly $2.6 million. Defcon, an anonymous administrator for Silk Road broke the news and said that the heist was made possible by the “transaction malleability” in the bitcoin protocol:
Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.
Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.
Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.
But before we deem bitcoin as unsafe, we should note that security researcher Nicholas Weaver says that this isn’t necessarily a flaw or a bug. It’s actually a feature:
“It’s the accounting system that effectively has a bug in it. Part of the reason that the transaction ID is not protected by the signature is so I could say pay 100 bitcoins to this address, and other people can add in. That’s the reason why transaction ID are not cryptographically protected. It is a feature, not necessarily a bug.”
Bug or not, Silk Road has implemented new security protocols to prevent this from happening again. The downside to this new security is that transactions will be made more difficult, and because the site has given up on keeping its funds in escrow, transactions might be much easier to track between buyer and seller.
[via Ars Technica, The Verge, image via Antana]