On 8 April, as we reported, the Bisq exchange stopped trading due to a “critical security vulnerability.” The exchange at the time did not disclose any details about the nature and severity of the hack.
Bisq said it took the “unprecedented” step after the vulnerability was discovered and later revealed on the website that an attacker exploited a flaw in the Bisq trade protocol to target individual trades to steal trading capital. Approximately 3 BTC and 4000 XMR were stolen from seven individual victims, the exchange has since released a patch and a promise to reimburse the victims in full.
“We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims,” the company said. The only market affected was the XMR/BTC market, and all affected trades occurred over the past 12 days,” the Exchange said.
The hacker posed on the platform as a user to take advantage of system vulnerability. And allegedly sold the fund by obtaining its own default fallback address known as the “donation address”.( When a trade dispute occurs and a mediator is unable to find a solution, the funds are sent to a “donation address” for a temporary period.). But the hacker was able to set the donation address, in this case, to point to its own address. This allowed them to claim the funds for themselves. The exchange said:
“In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P)”.
Bisq developers used the alert key to disable all trading on Bisq as soon as that attack was discovered. The vulnerability to the trade protocol has been fixed and trading resumed by 12:00UTC.
One more release for you today.
v1.3.1 fixes a bug that marks valid trades as failed trades, and it also improves delayed deposit transaction verification.
— Bisq (@bisq_network) April 8, 2020