KEY POINTS

  • A hacker was able to exploit a flaw from Bisq exchange and wound up with $250,000 worth of cryptocurrencies
  • Trading was disabled on Bisq on Tuesday and Bisq v1.3.0 was released to address the trade flaw
  • Trading resumed by Wednesday for the decentralized bitcoin exchange network

A total of 3 Bitcoin (BTC) and 4,000 Monero (XMR), which is equivalent to $250,000, were stolen from decentralized Bitcoin exchange network Bisq.

On Tuesday, trading was halted from Bisq after it found out "a critical security vulnerability," reported Coindesk. The attacker was able to intercept cryptos coming to users' default fallback address, which is the address where cryptos are sent to upon a failed trade.

The hacker exploited the exchange's flaw by posing as a seller and waiting out the time limit of a pending trade with a buyer. The result is that the cryptos go to the attacker along with the payment and security deposit.

"About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims. This is the situation as we know it so far. The only market affected was the XMR/BTC market, and all affected trades occurred over the past 12 days," Bisq said in a statement.

Bisq also defended that it is not due to how funds are stored. In October 2019, the exchange just improved its trade protocol with the release of Bisq v1.2. Bisq removed trusted third parties and required trade parties to move funds to a Bisq "donation address" after a hard time limit. This was set in place to resolve failed trades.

That particular address, which was approved by DAO stakeholders and was set by Bisq DAO, was put in place as the payout address by Bisq's software. But this wasn't changed prior to sending the time-locked payout TX to the trade counterparty.

 

"In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P)," Bisq stated.

Bisq took action right away upon discovering the attack, and the trading flaw was rectified with the release of Bisq v1.3.0. The exchange has resumed trading on Wednesday.

Russianhackers Silicon Valley has often made product usability the priority over product security. Photo: Reuters