Bad actor steals $250,000 from Bisq users after faulty security patch

by Alina Bizga on April 9, 2020

Bisq, a decentralized crypto exchange network, was forced to disable trading on Tuesday after the discovery of a critical security vulnerability.

The open source peer-to-peer application allows Bitcoin aficionados to buy or sell digital currency anonymously in exchange for national currencies or different cryptocurrencies.

Developers rushed to sound the alarm after an attacker managed to steal over $250,000 from seven Bisq users. How was it possible? It seems that, along with a recent update meant to improve decentralization and remove trusted third parties from the platform, the developers also introduced a vulnerability that allowed the cyber thief to manipulate the way Bisq trades are carried out. He then directed the funds into his digital wallet.

“In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P),” said the developers.

Sponsorships Available

“About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims. This is the situation as we know it so far. The only market affected was the XMR/BTC market, and all affected trades occured over the past 12 days,” said Bisq representatives in a statement posted on 8 April.

Bisq also confirmed that, on discovering this incident, all trades were disabled and they were able to deliver a hot fix which is now available Bisq v1.3.0.

As for the reimbursement of victims, the platform aims “to repay the 7 victims from future trading revenues,” following a soon-to-be created proposal.