Database: Active

Research Database & FAQ

A comprehensive repository of technical specifications, operational protocols, and security mechanisms observed within the DrugHub ecosystem. This data is aggregated from public PGP-signed documentation.

Categories

Research Note:

All answers refer to the V3 Onion Service architecture implemented as of Q4 2024.

1

Access & Network Connectivity

The platform operates exclusively as a Tor Hidden Service (v3 Onion Service). This architecture ensures that both the server location and the user's IP address remain anonymized through the Tor network's multi-hop routing protocol. Access requires a specialized browser (such as Tor Browser) capable of resolving .onion TLDs. The market does not operate on the clearnet.
Timeouts typically result from three factors:
  • DDoS Mitigation: The market employs rigorous PoW (Proof of Work) challenges that may delay initial connections.
  • Tor Circuit Latency: The Tor network routes traffic through three random nodes, often causing variable latency.
  • Maintenance: Scheduled downtime for database optimization usually lasts 1-2 hours.
Verified mirrors are authenticated using the market's primary PGP key (4096-bit RSA). The administrators sign a timestamped message containing the active .onion addresses. Users verify this signature against the known public key to ensure the links have not been tampered with by a man-in-the-middle attack or phishing entity.
2

Security & Encryption

DrugHub utilizes a passwordless authentication system. Upon registration, a user uploads a PGP public key. To log in, the server encrypts a unique random message with this public key. The user must decrypt this message using their private key and return the plaintext token. This ensures that only the holder of the private key can access the account.
During account creation, the system generates a mnemonic seed phrase (typically 12-24 words). This phrase is the cryptographic seed used to derive the account credentials locally or reset 2FA settings. It is the only method for account recovery if PGP keys are lost, as the administration does not store private keys.
No. The architecture is built to function entirely without Javascript to prevent browser fingerprinting and XSS (Cross-Site Scripting) vulnerabilities. Users are strongly advised to set their Tor Browser security level to "Safest", which disables Javascript by default.
3

Marketplace Architecture

Research indicates that the platform enforces a Monero-only settlement layer to leverage Ring Signatures, Stealth Addresses, and RingCT. These cryptographic features obfuscate the sender, receiver, and transaction amount on the blockchain, providing a higher degree of privacy compared to transparent ledgers like Bitcoin.
The escrow protocol holds funds in a temporary wallet controlled by the market logic until the transaction is finalized. Funds are released to the vendor only after the buyer confirms receipt or the auto-finalize timer expires. In case of a dispute, a moderator uses the multi-sig keys to intervene and direct funds to the correct party.
Historical analysis shows that new vendors must pay a non-refundable bond (typically priced in USD but paid in XMR) to list items. This acts as a spam deterrent and a barrier to entry for malicious actors. Established vendors with proven reputation on other markets may apply for a bond waiver via PGP-signed proof of identity.
4

Troubleshooting & Support

Monero deposits require 10 confirmations on the blockchain before the market balance updates. This process typically takes 20-30 minutes depending on network congestion. Users are advised to verify the transaction ID (TXID) on a blockchain explorer if delays exceed 1 hour.
If a user loses their private PGP key, they lose access to the login challenge system. Access can only be restored if the user saved their mnemonic seed phrase during registration. Without the mnemonic or the PGP key, the account is cryptographically inaccessible and cannot be recovered by support.