Bisq Suffers $250K Worth of Crypto Losses after Theft By Hacker
A remarkable software flaw in the Decentralized exchange (DEX) Bisq allowed a hacker to steal cryptocurrency worth over $250k from users. The exchange promptly stopped trading yesterday night upon discovering the critical security risk.
Bisq hasn’t mentioned the specific flaw and is yet to ascertain the safety of users’ funds. The exchange phrases the action taking with regards to the theft as unprecedented.
The exchange states that the hacker made away with 3 Bitcoins and 4,000 Monero (XMR) from 7 different users. The Bitcoins are worth $22k while the XMR is worth $230k, as at the time of writing, placing the total value at over $250k.
How and Why The Bisq Hack Was Possible
During the hack, the user’s default fallback address was set to receive cryptocurrency in the event of trade failure. The hacker then poses as a seller, commences a trade with a victim, and waits for the lapsing of the time limit. The cryptos go to the attacker instead of the coin owner once time runs out. They even come together with the payment and security deposit of the buyer.
The 2020 Q1 update to the exchange’s trading protocol provided this loophole exploited by the hacker. The update aimed to enhance decentralization and eliminate trusted third parties present in the platform. The flaw was fixed by noon (UTC) on the 8th of April before the exchange informed users of trade resumption.
Bisq’s launched at the end of 2018 works like any other DEXs. However, it allows anonymous trading since users lack the need to register or verify their identity. Each user functions as a node thanks to the platform’s distributed network. Such is the nature of its decentralization that users can override the suspension if they wished to.