Hacker Exploits Flaw in Decentralized Bitcoin Exchange Bisq to Steal $250K

The DEX revealed the hack 18 hours after it suspended trading.

AccessTimeIconApr 8, 2020 at 1:12 p.m. UTC
Updated Sep 14, 2021 at 8:26 a.m. UTC

Decentralized exchange (DEX) Bisq rang the alarm bells last night after a hacker exploited a significant software flaw to steal more than $250,000 worth of cryptocurrency from users.

Bisq, which allows users to exchange crypto anonymously, abruptly disabled trading late Tuesday night after it uncovered "a critical security vulnerability."

At the time, the exchange did not release any information regarding the nature of the flaw or whether user funds were safe. But 18 hours after it halted trading, Bisq said it took the "unprecedented" step after finding an attacker was exploiting a flaw in the software to steal cryptocurrency from other users.

"About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4,000 XMR stolen from 7 different victims. This is the situation as we know it so far," Bisq said in a statement to CoinDesk.

The value of the crypto stolen was roughly $22,000 worth of bitcoin (BTC) and $230,000 worth of monero (XMR), according to CoinDesk data at press time. In total, that comes to more than $250,000.

To carry out the thefts, the attacker was able to set other users' default fallback address – the destination to which crypto is sent to if a trade fails – to their own. Posing as a seller, they would start a trade with a buyer and simply wait for the time limit to run out. Rather than going to the legitimate owner, the digital assets arrived with the attacker, along with the buyer's payment and security deposit too.

The flaw in question came as part of a recent update to the trading protocol, which was designed to improve decentralization and remove trusted third parties from the platform.

Bisq managed to fix the flaw by 12:00 UTC Wednesday and told CoinDesk just before publication that trading had just resumed again.

Bisq released onto testnet back in late 2018 as an exchange structured as a decentralized autonomous organization (DAO). It works in much the same way as other DEXs, but users can trade anonymously as there are no registration or identity verification requirements.

With the platform based on a distributed network, each user effectively acts as a node. Although Bisq's developers had suspended trading, the exchange's decentralized nature means users could override the suspension should they wish.

In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX's associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.

"Anyone can use Bisq, there is no censorship," the developer said. "Just like anyone can use bitcoin, there is no way to ban someone from bitcoin."


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.