The decentralized bitcoin trading network Bisq has reported an attack that resulted in the loss of 3 BTC worth nearly $22,000 and 4,000 XMR worth $224,000. The open-source, peer-to-peer exchange that requires no registration to trade cryptos suffered an attack 24 hours ago where the attacker exploited a flaw in Bisq’s trade protocol.
Statement on the critical vulnerability discovered yesterday:https://t.co/xbRstVXyfn
— Bisq (@bisq_network) April 8, 2020
The attacker targeted individual trades to steal trading capital and the markets affected were only the XMR/BTC one. All the affected trades occurred over the past 12 days. As per the information so far, about 3 BTC and 4,000 XMR are stolen from 7 different victims. The exchange is planning to create a proposal in the BisqDAO, the platform’s funding mechanism, to repay the 7 victims from future trading revenues.
In late October 2019, Bisq updated its trade protocol with the release of Bisq v1.2 which improved decentralization by removing the arbitrators with a “3rd key in the multisig escrow” which is used for bitcoin trading funds. The arbitrators were replaced with mediators and arbitrators with no keys.
As it didn’t require any trusted third parties, the trade parties have to move bitcoin trade funds to a Bisque “donation address” after a hard time limit. This donation address is set by the Bisq DAO and approved by its stakeholders. The statement reads,
“This exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P).”
On discovering the attack, all trading was disabled on the platform by using the alert key, an “unprecedented” case because it was used for the first time in its four years of operating on mainnet. The flaw has been now corrected with the release of the new version Bisq v1.3.0.