Decentralized cryptocurrency exchange Bisq, which allows for peer-to-peer trading, has halted trading on Tuesday after uncovering a “critical security vulnerability.” The vulnerability led to the loss of at least $250,000 in BTC and XMR.
At the time the exchange didn’t go into the situation, but merely advised users to not make any transactions. It used an alert key functionality to halt trading, but as it’s a decentralized exchange it can be bypassed by users.
About 18 hours after initially halting trading, Bisq revealed it was exploited by a hacker who managed to steal “approximately 3 BTC and 4000 XMR” from seven different users on the platform. The only affected market was the XMR/BTC one, and affected traders occurred over the past 12 days, Bisq revealed.
The vulnerability was created after an upgrade meant to help further decentralized the platform, by removing arbitrators with a third key in the multisig escrow used when trading funds. The arbitrators were replaced with mediators and arbitrators with no keys in the escrow, and to make up for the removal of a trusted third party, Bisq moved BTC trade funds to a so-called “donation address” after a time limit in order to solve abandoned trades.
Per the exchange, a flaw in the way the traders were carried out allowed a hacker to change the address the funds would be sent to for his own, netting around $250,000 in crypto.
This donation address is set by the Bisq DAO and approved by DAO stakeholders. Bisq software did not verify that the payout address for trades was actually the Bisq donation address set by the DAO before signing and sending the time-locked payout TX to the trade counterparty.
On Bisq’s forums, users pointed to a bitcoin address the funds moved through, which has seen a total of 19.6 BTC ($143,000) flow through it. Blockchain data shows the funds have since then hopped through various addresses, likely to conceal their origin and throw off sleuths.
Bisq’s DAO, the exchange’s funding mechanism, is reportedly going to create a proposal to repay the seven known victims of the hack using future trading revenues.
Featured image via Pixabay.