Decentralized Exchange (DEX) Bisq sounded the alarm last night after a hacker exploited a software flaw to steal over $ 250,000 worth of cryptocurrencies from users. A flaw integrated in the new Bisq update, which allows users to trade cryptocurrencies anonymously, abruptly shut down the trading platform on Tuesday after revealing "a critical security vulnerability". Currently, the exchange has not released any information on the nature of the defect or the security of user funds. But 18 hours after stopping the trade, Bisq said he took "unprecedented" action after discovering that an attacker was using a software flaw to steal cryptocurrency money from other users.
"About 24 hours ago, we discovered that an attacker was able to exploit a flaw in Bisq's trading protocol by targeting individual trade in order to steal trade capital. We are aware of about 3 BTC and 4,000 XMR stolen by 7 different victims. This is the situation as we know it so far, "Bisq said in a statement. The value of the stolen cryptocurrencies has a quote of about $ 22,000 bitcoin (BTC) and $ 230,000 monero (XMR).
To commit the theft, the attacker was able to set the default address of other users - the destination to which cryptocurrencies are sent in the event of an exchange failure. Claiming the seller's share, the hacker started a trade with a buyer and simply waited for time to run out. The digital assets are then credited to the criminal, along with the buyer payment and also the security deposit. The flaw in question is part of an update to the latest trade protocol, designed to improve decentralization and remove trusted third parties from the platform. Bisq solved the problem in a few hours Bisq managed to correct the defect within a few hours, allowing the resumption of trade.
Bisq was released in testnet at the end of 2018 as a structured exchange as a decentralized autonomous organization (DAO). It works in the same way as other DEXs, but users can act anonymously as there are no registration or authentication requirements.
With the platform based on a distributed network, each user effectively acts as a node. Although Bisq developers have suspended trading for several hours, the decentralized nature of the exchange makes it possible for users to overcome the suspension if they wish. In most cases of an exchange attack, the hacker can be permanently expelled from the trading platform.
This does not apply to Bisq. One of the DEX-related developers claimed that although the bug had been fixed, there was nothing that could prevent the attacker - whose identity could not be known - from entering and operating again on the platform. "Anyone can use Bisq, there is no censorship," said the developer. "Just like anyone can use bitcoin, there is no way to exclude anyone."