On Tuesday, decentralized cryptocurrency exchange Bisq announced that it had been hacked. Roughly $250,000 worth of Bitcoin (BTC) and Monero (XMR) were stolen. The exchange has since issued a fix along with a promise to fully refund the victims.
Bisq first alerted users to the problem in a tweet. It also abruptly halted all trading on the platform. In a statement on its website Wednesday, Bisq explained that a hacker had exploited a flaw in the Bisq trading protocol, targeting individual trades to steal funds.
“We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims,” the company said. The only market affected was the XMR/BTC market, and all affected trades occurred over the past 12 days,” the company said.
A peer-to-peer application, Bisq, which launched four years ago, allows users to buy and sell cryptocurrencies directly from each other in exchange for fiat currencies via a desktop client. The platform has no KYC checks, so users are able to remain private.
Also, since it is a decentralized exchange, Bisq doesn’t store funds in a server, or hot wallet connected directly to the internet, so unlike in centralized exchanges, there was no “honeypot” to siphon.
“Affected users were those involved in active trades only,” Bisq said in a Twitter thread.
How the hack happened
The attacker posed as a user on the platform who was selling BTC to take advantage of a vulnerability in the system, the company said.
Normally, Bisq requires sellers to lock any BTC being sold in a multisig escrow along with a security deposit.