Decentralized exchange (DEX) Bisq rang the alarm bells last night after a hacker exploited a significant software flaw to steal more than $250,000 worth of cryptocurrency from users.
Bisq, which allows users to exchange crypto anonymously, abruptly disabled trading late Tuesday night after it uncovered "a critical security vulnerability."
At the time, the exchange did not release any information regarding the nature of the flaw or whether user funds were safe. But 18 hours after it halted trading, Bisq said it took the "unprecedented" step after finding an attacker was exploiting a flaw in the software to steal cryptocurrency from other users.
"About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4,000 XMR stolen from 7 different victims. This is the situation as we know it so far," Bisq said in a statement to CoinDesk.
To carry out the thefts, the attacker was able to set other users' default fallback address – the destination to which crypto is sent to if a trade fails – to their own. Posing as a seller, they would start a trade with a buyer and simply wait for the time limit to run out. Rather than going to the legitimate owner, the digital assets arrived with the attacker, along with the buyer's payment and security deposit too.
The flaw in question came as part of a recent update to the trading protocol, which was designed to improve decentralization and remove trusted third parties from the platform.
Bisq managed to fix the flaw by 12:00 UTC Wednesday and told CoinDesk just before publication that trading had just resumed again.
Bisq released onto testnet back in late 2018 as an exchange structured as a decentralized autonomous organization (DAO). It works in much the same way as other DEXs, but users can trade anonymously as there are no registration or identity verification requirements.
With the platform based on a distributed network, each user effectively acts as a node. Although Bisq's developers had suspended trading, the exchange's decentralized nature means users could override the suspension should they wish.
In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX's associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.
"Anyone can use Bisq, there is no censorship," the developer said. "Just like anyone can use bitcoin, there is no way to ban someone from bitcoin."
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.