Decentralized crypto exchange Bisq has recently disclosed a vulnerability for which it had to stop trading. It now turns out that some of the customers of the exchange have also suffered financial loss.
Bisq Crypto Exchange Vulnerability
Reportedly, the decentralized crypto exchange Bisq has suffered a security issue. Following the incident, the exchange had to stop trading, urging users to stop all processing.
The exchange first asked all users to stop trading, whilst explaining that they “can” override this blocking.
To clear confusion: yes, Bisq is a proper distributed peer-to-peer network. So you *can* override the latest alert key functionality that blocks trading.
But we highly discourage you from doing this for your own security.
We'll release more details when we can.
— Bisq (@bisq_network) April 7, 2020
They later elaborated that the vulnerability also affected all existing trades. Though they assured that the users’ funds remained safe.
an unfortunate side-effect is that existing trades are also prevented from being completed until the hotfix is released. please be patient.
of course, due to bisq's security model, your funds are not at risk.
— Bisq (@bisq_network) April 7, 2020
However, revealing the details in a recent statement, they elaborated that they found some hackers exploiting the vulnerability. As a result, they could steal currency from a few victims.
We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims.
The flaw basically existed in the Bisq trade protocol that allowed hackers to steal currency. As mentioned in their statement,
In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P).
Bisq Patched The Flaw
After identifying the flaw, Bisq developers quickly worked to stop all trading first to contain the attack. Then, they worked out on a fix to proceed with the usual routine. Consequently, they patched the bug with the release of Bisq v1.3.0.
As soon as this attack was discovered, Bisq developers used the alert key to disable all trading on Bisq. The flaw in the trade protocol has been corrected in Bisq v1.3.0, now released.
For the victims who suffered financial losses, the exchange has pledged to compensate in the future.
A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues.
Bisq has apologized to all customers for the security incident. They are also working on a subsequent version (v1.3.1) for all those facing problems with v1.3.0.
Let us know your thoughts in the comments.