The decentralized exchange (DEX) Bisq rang stopped trading activities late Tuesday night after it uncovered a critical security vulnerability that was exploited by a hacker to steal more than $250,000 worth of
“Bisq developers are currently investigating a critical security vulnerability, and the alert key has been used to temporarily disable trading.” reported the decentralized exchange. “A hotfix release will be published within a few hours.”
“About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the
The issue was caused by a recent update to the network that introduced a security flaw that allowed attackers to manipulate fallback addresses.
A default fallback address is the address of the walled used as a destination in the transaction in the case of trade fails.
The hacker set other users’ default fallback address, posing as a seller they would start a trade with a buyer and wait for the time limit to run out. In this scenario, the funds are transferred to the attacker address along with the buyer’s payment and security deposit too.
“In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX’s associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.” concludes CoinDesk.
“Anyone can use Bisq, there is no censorship,” the developer said. “Just like anyone can use bitcoin, there is no way to ban someone from bitcoin.”