Decentralized exchange (DEX) Bisq rang the alarm bells last night after a hacker exploited a significant software flaw to steal more than $250,000 worth of cryptocurrency from users.
Bisq, which allows users to exchange crypto anonymously, abruptly disabled trading late Tuesday night after it uncovered “a critical security vulnerability.”
At the time, the exchange did not release any information regarding the nature of the flaw or whether user funds were safe. But 18 hours after it halted trading, Bisq said it took the “unprecedented” step after finding an attacker was exploiting a flaw in the software to steal cryptocurrency from other users.
“About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4,000 XMR stolen from 7 different victims. This is the situation as we know it so far,” Bisq said in a statement to CoinDesk.
To carry out the thefts, the attacker was able to set other users’ default fallback address – the destination to which crypto is sent to if a trade fails – to their own. Posing as a seller, they would start a trade with a buyer and simply wait for the time limit to run out. Rather than going to the legitimate owner, the digital assets arrived with the attacker, along with the buyer’s payment and security deposit too.
The flaw in question came as part of a recent update to the trading protocol, which was designed to improve decentralization and remove trusted third parties from the platform.
Bisq managed to fix the flaw by 12:00 UTC Wednesday and told CoinDesk just before publication that trading had just resumed again.
Bisq released onto testnet back in late 2018 as an exchange structured as a…