The decentralized exchange (DEX) Bisq sounded the alarm siren last night after a hacker exploited a software flaw to steal users over $ 250.000 in cryptocurrency.
A flaw integrated in the new update
Bisq, which allows users to trade cryptocurrencies anonymously, abruptly deactivated the trading platform on Tuesday after discovering "a critical security vulnerability".
At the moment, the exchange has not released any information on the nature of the defect or the security of users' funds. But 18 hours after stopping trading, Bisq said he had taken an "unprecedented" action after discovering that an attacker was exploiting a flaw in the software to steal cryptocurrency money from other users.
“About 24 hours ago, we discovered that an attacker was able to exploit a defect in the Bisq commercial protocol, targeting individual operations in order to steal commercial capital.
We are aware of approximately 3 BTC and 4.000 XMR stolen from 7 different victims. This is the situation as we know it so far, "Bisq said in a statement. The stolen cryptocurrency value has one quotation about $ 22.000 in bitcoin (BTC) and $ 230.000 in monero (XMR).
To perform the thefts, the attacker was able to set the default fallback address of other users - the destination to which cryptocurrencies are sent in the event of an exchange failure.
By pretending to be the seller, the hacker started a business with a buyer and simply waited for the time to run out. The digital assets were then credited to the criminal, together with the buyer's payment and also the security deposit.
The flaw in question is part of a recent update of the trading protocol, designed to improve decentralization and remove reliable third parties from the platform.
Bisq solved the problem in a few hours
Bisq managed to correct the defect in a few hours, allowing trading to resume. Bisq was released on testnet in late 2018 as an exchange structured as a decentralized autonomous organization (DAO).
It works in much the same way as other DEXs, but users can operate anonymously as there are no registration or identity verification requirements. With the platform based on a distributed network, each user acts effectively as a node.
Although Bisq developers have suspended trading for several hours, the decentralized nature of the exchange makes it possible for users to ignore the suspension if they wish. In most cases of an exchange hack, the hacker can be expelled from the trading platform forever.
This does not apply to Bisq. One of the DEX-associated developers said that although the flaw had been resolved, there was nothing that could prevent the attacker - whose identity cannot be known - from logging in and operating again on the platform. "Anyone can use Bisq, there is no censorship," said the developer. "Just like anyone can use bitcoin, there is no way to rule out anyone."