Hodl Hodl Explains August Security Issues, Puts Lending on Hold

The peer-to-peer bitcoin lending platform is closed for new deals until the planned relaunch in September.

AccessTimeIconSep 3, 2021 at 10:37 a.m. UTC
Updated May 11, 2023 at 7:04 p.m. UTC

Hodl Hodl, a non-custodial marketplace for bitcoin peer-to-peer purchases and loans, published an update on the security issue it reported in early August.

On Aug. 2, Hold Hodl reported a security issue on its platform for peer-to-peer bitcoin loans, named Lend. The team asked users to migrate their loan contracts to new escrows and get stronger payment passwords. Hodl Hodl also said it had to force-liquidate some of the contracts to keep users’ funds safe from possible attacks.

In an update on Friday, Hodl Hodl said two vulnerabilities were found in Lend’s code. The team did not identify any loss of users’ funds. However, it “had no guarantee that these vulnerabilities weren’t exploited already, and some user payment passwords weren’t obtained by bad actors,” according to a Sept. 2 blog post explaining why the team asked users to migrate their funds to new escrows.

Hodl Hodl also force-liquidated some of the most risky contracts, less than 1% of all contracts, the blog post said.

Hodl Hodl does not store users’ funds and runs on what the team calls bitcoin smart contracts, allowing users to generate multisignature escrow wallets in which the bitcoin gets locked until the deal is complete. This allows people to trade bitcoin for fiat money or borrow USD-denominated stablecoins, like USDT, for collateral without parking their funds with a third-party entity, as centralized platforms do.

In late July, Hodl Hodl hired a new auditing firm to check the security of its code, and the firm found two vulnerabilities. “One of them allowed to easily brute force weak passwords. Another one was found in the front end of our lending platform. This vulnerability could lead users to input their payment passwords into a fake form (produced and generated by the attacker), allowing them to access the user’s private key,” Hodl Hodl wrote.

The issue applied only to the lending product, not the trading product, CEO Max Keidun told CoinDesk. He confirmed no funds had been stolen.

The team is now working on “new extra security features, which will be a part of a more significant update called Lend 2.0,” according to the blog. The new platform will be launched sometime in September, the company added, and will “contain major security and UI/UX improvements and use a different security and usability approach than the previous version.”

For now, the platform is closed to new loan contracts, which will become available after the relaunch. Existing contracts that haven’t expired yet are still running on the platform, Keidun said.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Anna Baydakova is an investigative reporter with a special focus on Eastern Europe and Russia. Anna owns BTC and an NFT.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.