P2P Exchange Hodl Hodl Reports Security Issue

The non-custodial marketplace said some users' payment passwords might have been compromised.

AccessTimeIconAug 3, 2021 at 9:34 a.m. UTC
Updated Sep 14, 2021 at 1:34 p.m. UTC

Hodl Hodl, a noncustodial bitcoin marketplace, said it had to force-liquidate some users' contracts to prevent the loss of funds, pointing to a possible security issue.

"Unfortunately, our recent internal and external audit identified that some user payment passwords might have been compromised," the Hodl Hodl team wrote in a blog post on Monday. "This affected a limited number of contracts, but we are taking proactive measures to ensure that everyone is safe." The team said it is investigating the issue and working on safely moving funds from potentially compromised contracts.

Hodl Hodl declined to comment on the situation but promised to publish a report as soon as the issues are investigated and fixed. "We have contacted external auditors and are doing external and internal audits on a daily basis," according to the blog post.

According to a user’s tweet, the issue pertained to the Hold Hodl lending platform, which went live in October 2020. Users also reported the Hodl Hodl website was down for some time on Aug. 2.

Answering questions on Twitter, Hodl Hodl's official account said the platform did not liquidate all contracts on the platform, only some.

Hodl Hodl is a peer-to-peer noncustodial marketplace. It doesn't store users' funds but provides a way for them to buy, sell, lend and borrow bitcoin from each other in an automated fashion. Hodl Hodl weighs in only when there is a dispute about a payment.

Users lock bitcoin in multisignature escrow wallets and use their personal payment passwords to release funds from it. Some of those passwords, according to Hodl Hodl's statement, might have been compromised.

On Aug. 1, user HodlBits tweeted concerns about Hodl Hodl, saying they received an email from the company "where they are pushing us to close contracts in the next 2 hours," and the style of the email seemed weird. Hodl Hodl's official account responded that the emails were authentic.

Later the same day, Hodl Hodl tweeted that the platform started forced liquidation "in those contracts that are still in In progress stage but are considered as 'high risk.' This is done to assure safety of YOUR funds. In order to complete the Liquidation process we will need you to undersign the Liquidation as well."

A day later, Hodl Hodl published an explanation in its blog and apologized for not communicating with users in a more straightforward way. The team also published a PGP key on the website and in the blog to prove the social network accounts of Hodl Hodl had not been compromised.

More details of the situation will come later in the blog, CEO Max Keidun told CoinDesk.

Hodl Hodl is one of the few places allowing users to buy bitcoin for fiat without sending funds to the third-party wallet of a centralized exchange. The company is owned by the team and a small number of investors, including the centralized exchange Bitfinex.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.