Hacker Steals $250K From Decentralized Crypto Exchange Bisq

  • Though the software flaw has already been corrected, the attacker was still able to steal approximately 3 BTC and 4,000 XMR.
  • The software flaw came as part of a trade protocol update meant to improve decentralization, released back in October 2019.
Hacker illustration

Hacker illustration. Freepik

A hacker was able to exploit a significant software flaw in Bisq, a decentralised exchange (DEX), to steal around $250,000 worth of cryptocurrency from users, the exchange said in a blog post on 8 April.

According to the announcement, the developers behind the peer-to-peer exchange found the “critical security vulnerability” Tuesday night, and had to abruptly disable the trading on the platform. Before the exchange used the alert key, the attacker was able to steal approximately 3 BTC and 4,000 XMR from 7 different users. The exchange further said:

“To clear confusion: yes, Bisq is a proper distributed peer-to-peer network. So you can override the latest alert key functionality that blocks trading. But we highly discourage you from doing this for your own security.”

The exchange further clarified that the exploit was a flaw in the way trades were carried out on the platform, and no the way funds were stored. The attacker was able to alter the default fallback addresses of users, where crypto was sent if a trade failed. He then pretended to be a seller, and start a trade with a buyer, and simply wait for the time limit to run out, at which point the funds were sent to the attacker’s address.

According to the exchange, the flaw was part of a trade protocol, updated in late October 2019, which was meant to improve decentralization, and remove trusted third parties from the platform. The exchange was able to release a hotfix, which removed the vulnerability, by 12:00 UTC Wednesday.

The exchange has further stated that it will soon create a proposal in the Bisq DAO, which will be aimed at repaying the seven victims of the hack.

Previously known as Bitsquare, Bisq was release on a testnet back in 2018 as a decentralized autonomous organization (DAO). Though the exchange operates as many other DEX’s, it does not require a registration or identity verification, which allows its users to trade anonymously.

Discussion
Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM
unlock

Shutterstock

Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
Kroll Data Breach Compromises FTX, BlockFi Customer Information
  • A cyber security incident at bankruptcy service provider Kroll has resulted in the exposure of “non-sensitive” customer data for claimants involved in the FTX and BlockFi cases.
  • Both companies confirmed that account passwords, systems, and funds remained safe, but warned customers to be on the lookout for phishing scams.