Interview With Bitwasp Founder & Developer – Security, DarkNetMarkets & Future Development

Posted by: DeepDotWeb

March 25, 2014

Following all the marketplaces that got hacked, and the fact that many of them were based on the Bitwasp software, we were very happy when the founder of Bitwasp contacted us and offered to answer some questions regarding Bitwasp, DarkNet uses, Security and the latest & future developments of the Bitwasp market software, we have spoken to the Bitwasp team:

Cameron Ruggles as Founder
Thomas Kerin as Developer
Harris Kalash as the UI designer

If you feel like helping to the Bitwasp project and contribute for the future development of better marketplaces you can donate to this bitcoin address: 19EkDTAaGWySZv1QsWxyWwYMZpo7jpvPYe
The developer is working full time on this project, is unemployed and living off the donations so he would really appreciate donations!
You can find more information here: http://bitwasp.co/

So, What can you tell us about the new finished, but beta version of Bitwasp?

Thomas: Our major milestone will be publishing a full version of the Bitwasp code running multisig. Multisig will remove the trust users need to have in the site operator, and at each step of making payment and signing, the user has all the information they need to make an informed decision before proceeding. Users will never pay to an address that one party has control over, meaning less exposure when operators setting up a site. No one wants to be responsible for losing coin, as there’s often little recourse. But with multisig, even if the site experiences downtime, once buyers and sellers can communicate on another channel they can recover the funds.

Multisig, or P2SH addresses, have been supported since 2012, so it’s insane that there isn’t more support for it. Bitwasp will be one of the first few sites to implement multisig, let alone publish all the code behind it.

The code itself has been effectively been implemented behind the scenes, however a lot of work remains before it’s finalized, and ready to be published. The software still needs a lot of work, but most of the ground work is done.

But this release will see a huge change – no live wallet, or notion of ‘user balances’. An admin configures an electrum master public key to create public keys/addresses, vendors upload a list of them, buyers enter them on a per-order basis. The order process essentially guides users through steps of a multisiganture transaction.

Once buyers pay to the multisig address, an unsigned transaction is created which pays the vendor, and the operators fee. In an up-front payment, the buyer must sign the transaction immediately after paying, and the vendor signs and broadcasts to indicate they’ve dispatched. In an escrow order, after payment is made, vendors would sign to indicate dispatch, and the buyer signs and broadcasts once they receive the goods. Otherwise a dispute is made, and the admin will talk it out with the buyer/seller. A new transaction is created by the admin when an acceptable solution is found. Recently a feedback system was built in, to further assist trustless transacting.

The effort of creating public keys in advance is something that I’d love to change, but I don’t think it’s reasonable to ask everyone for an Electrum MPK.. Support for BIP32 extended public keys ( M/k’ ) to automate this for all users is another milestone in the future – with this users could enter their extended key, allowing Bitwasp to generate public keys/addresses for multisig keys/receiving money, but ultimately means keys are all deterministically derived from one single seed.

Here is a gallery showing the process of placing an order using the new multisig:

[nggallery id=3]

How large is the community around Bitwasp and how do you reach broader audience? (as we know with Opensource this is the most important factor when it comes to development)

Cameron: It’s difficult to say. We only recently found out that over 10 Darknet Bitwasp marketplaces have been setup. I’d say it is pretty large considering we haven’t done much promotion, yet our Facebook page as over 400 likes – and considering what appears to be the main interest, most people wouldn’t like such a page with their Facebook account. Additionally 140 members are on our forum. That isn’t a lot but it is a decent number considering the incredibly small amounts of advertising we’ve done. I suspect it will easily grow orders of magnitude larger once we release a finished product, even if it is in alpha or beta and also have our Bitwasp.co site launched.

Thomas: The forums usually sees new people coming and going, a few faces hanging around for longer.

Is there some business plan behind it or it will stay completely free and open source?

Cameron: We are planning on launching our own marketplace at Bitwasp.co and hope to see apps for Bitwasp being sold, along side various other legal items. We will also be selling items on our site as well. Hopefully it will become the next well known legal bitcoin marketplace.

Do you consider the use of the current version as Wreckless and disappointing behavior?

Thomas: Bitwasp is highly experimental software, and it should be regarded that any Bitwasp implementation running a live wallet is taking unnecessary risks with user funds. We have never made an alpha release, and typically the only change to the software in site’s we’ve seen is they remove the ‘NOT IN PRODUCTION, USE ONLY ON TESTNET’ notice. Until http://test.bit-wasp.org no longer has this banner, people shouldn’t trust them.

Will you offer bounties for discovering exploits?

Cameron: Since protecting security and privacy while facilitating transactions is our primary goal it is important that people are motivated audit our software and report these bugs and exploits to us so they can be fixed.

The best way to motivate people is money. So we will be rewarding the person who finds the most exploits, and other issues with 3 bitcoins. The winner will be determined by a point system, whoever has the most points win. Exploits that can take bitcoins from the site or the users are worth 3 points, exploits that can access the database and read messages or other data provided by users are worth 2 points, and any other general bugs or exploits that don’t really jeopardize privacy, security or bitcoins are worth 1 point. This contest will be held after our first release and go for a month.

Will You have all these SQL Injections issues sorted in the new version? How come they are not sorted till now?

Cameron: Give us more info on this SQL injections… what have you heard about them? We’ve gotten little to no feedback in this area as far as I know.

I don’t know much about them, only that they exists, i have reached out to couple of the security guys who have experienced with Bitwasp Injections and offered that they will contact you. but here is one example taken from a previous published post about security exploits:

Thomas: Hard to say without details. Most likely an error in the items by categories / locations pages. I’ve noticed that most of the ‘hacked’ accusations take place on reddit, little technical detail is ever gven.

Do you get the inputs from all the hacked markets (i mean on the technical level) about stuff that needs to be fixed?

Cameron: No. I think the only one we even knew how it got hacked was FloMarket and it was an issue we had already known about.

Can you elaborate on how Flomarket Got hacked technically? assuming its fixed now. (we are still happy to know it was hacked and not a scam and that the admin was telling the truth in the interview we have done with him)

Cameron: This question needs to be answered by the developer. http://bit-wasp.org/index.php?topic=28.90) but in the next version It is fixed because we’ve entirely changed the way transactions are processed via 2/3 multisignature transactions. This way private keys or bitcoins are never held by the Bitwasp site admins or on the servers.

Thomas: In the copy of Bitwasp that Flole used, there was an issue whereby when orders were being added to the database, if the bitcoin amount was out of range (say, 0.0001 satoshis), value like 99 would be entered. It was a subtle type error with disastrous consequences, as obviously if this order was cancelled, the buyer would be credited with 99BTC. Or that’s what we believe. This has been fixed now, since refactoring order system around multisig. Flomarket was really a sign of how the future would go if Bitwasp didn’t remove live wallets.

Have you seen any markets nowadays that are based on Bitwasp that you can say are secured?

Cameron: Nope, but we haven’t really looked. We didn’t even realize very many people were using our clearly unfinished software. The longest lasting seems to be Tor Bazaar but we’re not sure about that either.

What do you think / feel About DarknetMarkets operators using your software?

Cameron: It’s exciting and comical. It is also unfortunate that they used the unfinished software for live marketplaces and with real bitcoins. We clearly say that it is not finished, is still being developed and to use on testnet only. Unfortunately some have falsely claimed to have fixed issues which lead to people losing their money or privacy. While it doesn’t seem very profitable or logical to launch a darknet marketplace and we’re not at all condoning doing so, we are happy to see that there is interest in the software and that many people are enthusiastic about what we’re doing.

Do you have any general advice for Bitwasp operators?

Thomas: Much of the barrier of entry to any company considering working with bitcoin is they simply can’t all afford to hire someone to code the system, but Bitwasp has lots of libraries, suited to make developing with it really easy, in Bitwasp or other projects. We’re really hoping it will inspire some inventive new businesses.

Cameron: Consider getting creative with our software. Don’t forget that things such as Airbnb, cryptocurrency exchanges, freelance sites, and Lyft are all technically just marketplaces. why not make it into a freelance site or embrace the First-sale doctrine and have a site that sells incredibly cheap digital files? I feel like such things would get far more attention and

Do you have any advice for DarkNet Marketplace operators Bitwasp operators?

Cameron: Do not do it. It is not worth it. It isn’t going to be profitable to launch a dark net marketplace because the barrier to entry is incredibly low (the cost of hosting + setup time of the free software?) and the risk of going to prison if you slip up is just as high. It takes a lot to stay truly hidden in this networked world, and law enforcement only have to be lucky ones before you find yourself in serious trouble. Launching a unique clearnet marketplace would be far more profitable and less dangerous.

What kind of issues have you faced during development?

Thomas: This copy of Bitwasp has been in development since August 2013. We started before, but due to commitments like college, etc, it was hard for the project to proceed at a fast pace. Since August however, we have covered a lot of ground. Since then, the developer took a job elsewhere, before quitting to devote his full time to the project last February. It’s taken a lot of work to get this far, and we’re trying to do something great. We have received donations to date which the dev is currently living off, so if anyone is happy about what we’re doing, and can afford to give a little to keep us going, please donate! It’s not just Thomas, we have paid out bounties in the past (2.7BTC for someone who helped us fix low entropy private keys (guess we won’t need that now with multisig.. but glad he helped!), and 2BTC for Harris Kalash, who is working on a new layout for Bitwasp to work on all devices), as well as someone for finding an issue in our codes session management.

Are there other announcements you want to make?

Cameron: Bitwasp.co — launching soon, submit your email for an update!

Thomas: We’d ask everyone to weigh in on what we’re doing, and the features we’re offering. We’re hoping that Bitwasp can lower the barrier of entry to taking part in bitcoin ecommerce, as a buyer or seller, in a secure way. The unbanked population, and also those in countries with strict financial control face difficulties getting involved in ecommerce, and Bitwasp is making it possible to do it all with a webserver and the satoshi client. Any suggestions, feedback on what we’ve done, or features you’d like to see as a buyer/seller, please drop us a line on our forums: http://bit-wasp.org

If anyone wants to join the Bitwasp community / help / donate / develop how can he contact you?

Cameron: To stay updated on the open source project join the Bitwasp forum ( The developers PGP key is here): http://bit-wasp.org

But if you’d just like to join our Clearnet site (Bitmit alternative) when we launch, submit your email here: http://Bitwasp.co

For donations go to: http://test.bit-wasp.org/

Bitcoin address: 19EkDTAaGWySZv1QsWxyWwYMZpo7jpvPYe
Since the developer is working full time on this project, is unemployed and living off the donations we would really appreciate donations. We have been and intend to reward people who find exploits.

We want to thank the Bitwasp team for taking the time and answering our questions, and we wish them good luck with the future development! and at the same time we hope that the message from this interview will reach the people that are planning to start another marketplace using the current Bitwasp version.

Updated: 2014-03-25