Over $250k in cryptocurrency stolen from Bisq Bitcoin exchange users

Critical security flaw forces Bisq Bitcoin exchange trading platform to stop services after a cyber attack

The flaw in Bisq software allowed hackers to steal BTC

The flaw in Bisq software allowed hackers to steal BTC

The decentralized exchange reported that the trading would be temporarily halted while the hotfix tries to resolve the security vulnerability.[1] The cyberattack during which the critical flaw was exploited resulted in the theft of Monero and Bitcoin cryptocurrency.[2] This peer-to-peer network lets users buy and sell Bitcoins in exchange for national currencies. 

Bisq found out that the attacker exploited a bug in the software and stole money directly from users. The vulnerability in trade protocol helped criminals target individual trades, and at the time, it was known that at least seven victims suffered the loss of 3BTC and 4,000 Monero each. That, in total, the worth of stolen crypto comes up to $250,000.[3]

Users were encouraged to not send any funds to and from Bisq exchange until further notice and the hotfix release, early Tuesday. The security notice on Reddit stated: 

Until v1.3.0 is released, existing trades cannot be completed. Please hold tight. Of course, because of Bisq’s security model, your funds are not at risk.

The exploitation allowed changing the final destination of the transferred crypto

These cryptocurrency thefts were carried out when the attacker managed to set the users’ default fallback address that is the destination when the trade fails, to their own wallet. The malicious actor poses ad a seller and start trading with potential buyers and wait for the time limit to end. Since the destination gets changed, funds, instead of coming back to the legitimate owner, will go to the hacker address with the buyer’s payment and security deposit. 

The mentioned flaw emerged with the recent updates that were designed to improve stability. Unfortunately, it inadvertently introduced this security flaw that gave the opportunity to criminals to manipulate the outwait time and fallback addresses to control funds. The flaw got fixed, and the trading has been resumed, but many users[4] reported disappearing funds after the latest version 1.3.1 that contains the hotfix.

The identity of the attacker cannot be known: the exchange platform hack can be repeated

Even though the platform managed to fix the bug on Wednesday and resume the trading platform there are some risks left.[5] Bisq has suspended the trading, but the fact that this is the decentralized exchange means users could override the suspension. Also, when it comes to such hacking incidents when the cryptocurrency exchange platform is affected, the attacker can get booted off of the trading platform permanently. It is not how it works with Bisq.

Bisq Bitcoin exchange works like any other decentralized autonomous organization, and users can trade anonymously, so there is no requirement for identity verification or registration. There is nothing that can prevent the attacker from hitting again because the identity cannot be known. 

Anyone can use Bisq, there is no censorship. Just like anyone can use bitcoin, there is no way to ban someone from bitcoin.