Preventing the Next Multi-Million Dollar Bitcoin Theft


The following article was written by Nadav Ivgi, Founder of Bitrated, and is published here with his permission.

This week, a huge story broke about yet another “underground” marketplace that ran away with all user funds in escrow. Evolution, one of the biggest underground marketplaces, has now shut down after their admins pulled off one of the biggest heists to date – currently estimated between 40,000 BTC and 130,000 BTC (12 to 35 million USD).

This is not the first time this has happened and unfortunately it probably won’t be the last, unless the Bitcoin community establishes (and enforces) more secure payment methods that don’t involve trusting centralized entities to hold large sums of money in escrow.

But all is not lost. A solution has existed in the Bitcoin scripting language for quite some time now, in the form of arbitration contracts based on 2-of-3 multi-signature transactions. Multi-signature was standardized as BIP 11 back in 2011, with one of the early references to the potential usage for arbitration contracts made by Mike Hearn at his Bitcoin London 2012 presentation.

With multi-signature, a trusted third party can be nominated by the buyer and seller, giving him the authority to resolve disputes and decide which party is right and should receive funds in case of dispute. The third party arbitrator does not hold funds in escrow and does not control them, and therefore cannot “run away” with them either.

And yet, despite repeating incidents that have shown the weaknesses of escrow, these solutions are still not widely used. The majority of marketplaces today (both “hidden” and “clear-web” ones) still rely on a standard centralized escrow, or on direct buyer to seller payments that provide no buyer protection at all.

Fortunately, Bitrated is here to change that.

Bitrated is a trust platform for the Bitcoin ecosystem. Originally launched at the end of 2013, it utilizes a payment system that facilitates the creation of 2-of-3 multi-signature contracts for the purpose of third-party arbitration, as well as a marketplace for arbitrators that wish to offer their services in exchange for fees.

Bitrated, was recently re-launched as Bitrated v2, a completely new codebase rewritten from the ground up to replace the old system, with a strong focus on ‘reputation’ as the foundation of the system, as well as improved usability and user experience.

Bitrated builds a layer of trust on top of Bitcoin and blockchain technology, using three primary components:

  1. Payment system – Providing consumer protection and recourse for Bitcoin payments, by leveraging multi-signature transactions. This gives users peace of mind with their transactions, knowing that they can appeal to a trusted entity in case of dispute – but without running the risk that the trusted party would run away with the funds.
  2. Reputation management system – A system that allows individuals and companies to build their online reputation and check the credibility of others, based on ratings, a web-of-trust network, and by extracting metrics from the user’s online persona. Identities on Bitrated can remain pseudonymous, or, as an opt-in, attached to a real-world identity.
  3. Trust marketplace – A marketplace for arbitration services where trust agents can compete for customers by providing quality dispute resolution services, utilizing their domain expertise, building a reputation and offering competitive fees.

The aim of Bitrated is to provide an infrastructure-level platform for other services, like marketplaces, wallets and exchanges, to build on top of. Our API is currently partially available, with more features due to be rolled out in the coming months. We’re currently gathering use-cases and requirements from API partners – if you want to help us design APIs that match your specific needs, please don’t hesitate to contact us.

One of the primary design goals for the Bitrated v2 system is to make it as trustless as possible. While it is operated as a web service, everything is backed by public-key cryptography. Each identity is represented by a public key, which is used to sign statements and actions made by the user, such as contracts, ratings and profile data. This means that even Bitrated itself cannot post ratings on behalf of users, or claim that they agreed to a contract that they didn’t agree to.

Needless to say, all private keys and cryptographic operations are managed using client-side technology. Private keys never touch our servers, not even in encrypted form. Bitrated cannot touch user funds, sign transactions or intervene in the arbitrator’s decision. You can read more about our security on the security page. If you’re a security researcher, we welcome security audits and offer a bug bounty program.

Bitrated just re-launched recently and are eager to hear the community’s feedback. If you have any ideas, suggestions or questions – please reach out to us!

Shortlink to this page: