Hacker stole $250K from decentralized Bitcoin exchange Bisq

Cryptocurrency exchange Bisq stopped trading activities due to a cyberattack, crooks have stolen $250,000 worth of virtual currency from the company.

The decentralized exchange (DEX) Bisq rang stopped trading activities late Tuesday night after it uncovered a critical security vulnerability that was exploited by a hacker to steal more than $250,000 worth of cryptocurrency from users.

“Bisq developers are currently investigating a critical security vulnerability, and the alert key has been used to temporarily disable trading.” reported the decentralized exchange. “A hotfix release will be published within a few hours.”

The hacker has stolen roughly $22,000 worth of bitcoin (BTC) and $230,000 worth of monero (XMR).

“About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4,000 XMR stolen from 7 different victims. This is the situation as we know it so far,” Bisq said in a statement to CoinDesk.

The issue was caused by a recent update to the network that introduced a security flaw that allowed attackers to manipulate fallback addresses.

A default fallback address is the address of the walled used as a destination in the transaction in the case of trade fails.

The hacker set other users’ default fallback address, posing as a seller they would start a trade with a buyer and wait for the time limit to run out. In this scenario, the funds are transferred to the attacker address along with the buyer’s payment and security deposit too.

Bisq has solved the issue by 12:00 UTC Wednesday and resumed trading, but some users continue to report the failure of trades and the disappearance of funds.

“In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX’s associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.” concludes CoinDesk.

“Anyone can use Bisq, there is no censorship,” the developer said. “Just like anyone can use bitcoin, there is no way to ban someone from bitcoin.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Bisq exchange, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]