Critical Vulnerability In Bisq Crypto Exchange Exploited For Some Users

Decentralized crypto exchange Bisq has recently disclosed a vulnerability for which it had to stop trading. It now turns out that some of the customers of the exchange have also suffered financial loss.

Bisq Crypto Exchange Vulnerability

Reportedly, the decentralized crypto exchange Bisq has suffered a security issue. Following the incident, the exchange had to stop trading, urging users to stop all processing.

The exchange first asked all users to stop trading, whilst explaining that they “can” override this blocking.

They later elaborated that the vulnerability also affected all existing trades. Though they assured that the users’ funds remained safe.

However, revealing the details in a recent statement, they elaborated that they found some hackers exploiting the vulnerability. As a result, they could steal currency from a few victims.

We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims.

The flaw basically existed in the Bisq trade protocol that allowed hackers to steal currency. As mentioned in their statement,

In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P).

Bisq Patched The Flaw

After identifying the flaw, Bisq developers quickly worked to stop all trading first to contain the attack. Then, they worked out on a fix to proceed with the usual routine. Consequently, they patched the bug with the release of Bisq v1.3.0.

As soon as this attack was discovered, Bisq developers used the alert key to disable all trading on Bisq. The flaw in the trade protocol has been corrected in Bisq v1.3.0, now released.

For the victims who suffered financial losses, the exchange has pledged to compensate in the future.

A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues.

Bisq has apologized to all customers for the security incident. They are also working on a subsequent version (v1.3.1) for all those facing problems with v1.3.0.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil