Flaw in Trading
On Tuesday, crypto exchange Bisq disabled its trading feature, citing what it called a “critical security vulnerability”. At the time of suspension of its operations, the exchange did not give any details. Only nearly 18 hours after its decision to stop trading, did it inform its users on the reasons behind the drastic step taken. According to the exchange, it had stopped the trading activities after it discovered that a hacker was exploiting a flaw within the platform’s software to siphon off cryptocurrencies from other users,
About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4,000 XMR stolen from 7 different victims. This is the situation as we know it so far.
At the time of the Bisq claim, the values of the stolen assets was roughly USD 22,000 for BTC and USD 230,000 for XMR.
How the Hack Happened
Bisq is a decentralized crypto exchange, which uses blockchain itself and smart contracts to let traders make deals without the need of the exchange to act as an intermediary. Bisq had recently upgraded its trading system in order bring in more decentralization and remove third party escrow services. The hacker exploited this trustless system in a unique way in order to get hold of the assets. The hacker was able to change the default wallet address for returning assets of its victims during a trade. The hacker would pose as a seller and initiate an exchange. The smart contract used by Bisq come with a timer, where a trade is cancelled and assets returned to the buyer if the seller does not deposit on the other end.
The hacker would initiate a trade and then did not deposit his/her end of the bargain. After the time would end, the return protocol would be initiated and instead of the buyer getting his or her coins back, they would be sent to the one the hacker had set.
Bisq is a Decentralized EXchange (DEX) that works more or less like a Decentralized Autonomous Organization (DAO). Users trade anonymously and since there is no way to censor any operations, traders had the option to override the suspension of trading and continue working.
Bisq is a totally decentralized exchange which prides itself on anonymity. Anyone can use the exchange without the need to register or any Anti Money Laundering (AML) or Know Your Customer (KYC) checks. This has made the tracing of the hacker near to impossible.