Bisq, a Bitcoin-based decentralized exchange popular among some traders for its support of the privacy cryptocurrency Monero (XMR), just weathered a significant exploit.
On Wednesday, April 8th, Bisq contributor Steve Jain issued a statement notifying the public that a hacker had taken advantage of an acute “critical security vulnerability” in the DEX’s trade protocol and had used that flaw to steal a small trove of cryptocurrency from a handful of the exchange’s users.
The malicious agent responsible had seemingly been targeting Bisq traders for nearly two weeks, Jain said:
“About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4,000 XMR stolen from 7 different victims. This is the situation as we know it so far. The only market affected was the XMR/BTC market, and all affected trades occured over the past 12 days.”
Upon discovering that the attacks were occurring on April 7th, the exchange’s developers released an alert to the community to temporarily suspend trading on the DEX. Then work on a permanent fix for the underlying flaw immediately began, which culminated in the release of the updated Bisq v1.3.0 a day later.
“The project is evaluating several approaches to strengthening security reviews and practices even more, and will detail them soon,” Jain added.
Understanding the Attack Vector
To steal crypto from their targeted victims, the Bisq attacker found a way to inject their own address as these users’ return address, i.e. the wallet address where funds are returned to if a peer-to-peer Bisq trade is unsuccessful.
Accordingly, the attacker acted as if they were making sales — then when a buyer engaged, the attacker would commandeer the buyer’s return address, allow the transaction to fail, and then nefariously scoop up the buyer’s purchase sum.
“In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P),” Jain noted.
Making the Victims Whole
By the time the Bisq team had become aware of the attacks, the BTC and XMR the attacker made off with were worth roughly $250,000. The good news is only 7 Bisq traders were affected by the exploit, though that’s hardly any consolation to the victims — or their digital wallets, frankly.
What is surely some consolation to those traders, though, is that the Bisq DAO (for “decentralized autonomous organization”) is soon set to vote on compensating them for their crypto losses.
“A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues,” Jain said.
DAOs are typically associated with the Ethereum community, where the novel organizations have exploded in number over the last year, but Bisq is the most high-profile Bitcoin-based DAO. In these community-run organizations, stakeholders manage projects and vote on their future roadmaps together.
Thus it will now ultimately fall on Bisq’s voters to decide on whether to make the attacker’s victims whole, though it seems likely that voters will choose to go the route of compensation in order to preserve Bisq’s reputation and the community’s goodwill.
The entire episode is obviously a difficult one for the Bisq project, but it does serve to provide an early case study for the wider cryptoeconomy into how a DAO can respond to a crisis.
Even though the specific flaw that led to this attack has now been patched, it will be interesting to see how the Bisq DAO thus continues to harden their project going forward.