A recently launched darknet market called Odyssey market, as pointed out by ecatelhf on Reddit, is based on a publicly available marketplace script sold on the Bitcoin Talk forums. The script largely resembles (and functions) as a clone of the infamous Evolution market. Using a market script is not inherently an awful move. However, the market admin’s responses to allegations posted on Reddit revealed that the script and the market are more similar than initially claimed, raising some questions related to the admin’s integrity and the market’s security going forward.
On September 25, 2015, Bitcoin talk forum member “sellscript” posted an advertisement for a functioning clone of the darknet marketplace “Evolution.” Dozens have purchased the script since then as the BCT user stills sells the script over Skype at codebitcoin.nguyen. Scripts are not necessarily bad. Everyone uses python-bitcoinrpc. As a general rule, though, launching an entire marketplace without changing anything but a handful of graphics and payment addresses.
“We used the .css from it (how it looks) and built the back end around it,” the admin wrote on Reddit.
Obviously the entire backend of Odyssey Market has not been examined, but ecalhf launched the copy of the script he owned and compared the post data from his register page with that of the Odyssey register page. He found that the values matched, meaning, at the very least, the Odyssey market admin(s) failed to change (admittedly unimportant) parts of the script, contrary to statements made on Reddit. But the post data itself is not a problem. It may be a sign of a general sloppiness, though. The code is unlike the publicly available source code from the Tochka Foundation. It has not been audited and questions have been raised concerning the motivation for the vendor to still sell the script for $50. The original script is also far from error free.
With that said, the same issues found in the original script are not immediately present on Odyssey market. They claimed to have used the script frontend and rebuilt the backend, but later admitted that they used both, but changed the backend. (And they obviously changed, at the very least, some of it; Odyssey supports Monero and the script only supports Bitcoin.) If they used the backend but hardened it, things might not be so bad. If they only used the frontend, why use the script at all? There’s also something to be said for market owners who have the technical ability (via themselves or employees) to create their own marketplace.
Script markets, like White Shadow Marketplace, have not really taken off. Usually for a good reason. Odyssey market may truly have redone every part of the backend that counts, but recovering from this launch will be difficult, if not impossible.