Decentralized cryptocurrency exchange Bisq has suffered a hacker attack through the critical security vulnerability with more than $250,000 worth of cryptocurrency stolen from users.
Bisq disabled trading late Tuesday night after it discovering the hack. 18 hours after it halted trading, the exchange took the “unprecedented” step after finding an attacker was exploiting a flaw in the software to steal cryptocurrency from other users.
According to Bisq, the attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. Approximately 3 BTC and 4,000 XMR were stolen from 7 different victims. The attacker was able to set other users’ default fallback address (the destination to which crypto is sent to if a trade fails) to their own. Posing as a seller, they would start a trade with a buyer and simply wait for the time limit to run out. Rather than going to the legitimate owner, the digital assets arrived with the attacker, along with the buyer’s payment and security deposit too.
The value of the crypto stolen was roughly $22,000 worth of bitcoin (BTC) and $230,000 worth of monero (XMR), totalling to more than $250,000.
The flaw in question came as part of a recent update to the trading protocol, which was designed to improve decentralization and remove trusted third parties from the platform.
Bisq was released in 2018 structured as a decentralized autonomous organization (DAO). It works similar as other DEXs, but users can trade anonymously as there are no registration or identity verification requirements. Although Bisq’s developers had suspended trading, the exchange’s decentralized nature means users could override the suspension should they wish.
In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX’s associated developers said that although the flaw was fixed, there was nothing to prevent the attacker from accessing and trading on the platform again. “Anyone can use Bisq, there is no censorship. Just like anyone can use bitcoin, there is no way to ban someone from bitcoin,” the developer said.