Hacking Bisq

[Lion_King_]

What is known about the Bisq hack??? I know that they stole more than $ 250,000, and that for this they changed the address in the event of a dispute between users of the platform.

[1715498593]

1715498593

[1715498593]

1715498593

[1715498593]

1715498593

[1715498593]

1715498593

[1715498593]

1715498593

[1715498593]

1715498593

[seoincorporation]

What is known about the Bisq hack??? I know that they stole more than $ 250,000, and that for this they changed the address in the event of a dispute between users of the platform.

The full news is on coin desk,i will leave the link here for the people who is interested in this topic:

https://www.coindesk.com/hacker-exploits-flaw-in-decentralized-exchange-bisq-to-steal-250k

The crazy fact about this is the value of the exchange in coinmarketcap, now that's only a 3BTC business, that's the way she goes.

https://coinmarketcap.com/exchanges/bisq/

[20kevin20]

According to CoinDesk's article, the exploiters were able to set the return address in case a transaction fails as their own. That let them steal the funds, because once the transaction failed (only the buyer initiated the tx and the exploiter waited for it to expire), everything returned back right into the hacker's wallet.

What's scary is that this is a DEX. It means it can happen to any of us and, unlike some centralized exchange hacks, you can't really do much about it.. The hacker could continue exploiting it without having a single fear.

Will give you a Merit because I just wanted to use Bisq and I had no idea this thing even happened. So you might've just saved my funds.

The crazy fact about this is the value of the exchange in coinmarketcap, now that's only a 3BTC business, that's the way she goes.

Decentralized exchanges are a better target for hackers and exploiters although their liquidity and volume is way smaller. There's no server and you can leave absolutely no trace behind you. It lowers the risks significantly for the hackers.

[Ucy]

the Bisq software did not verify that this donation address was the correct one before signing & publishing the time-locked payout transaction.

Looks like the above statement is one of their major mistakes. They should have thoroughly audited the software before releasing it for serious transactions. That is a serious security flaw that shouldn't have been missed.
Besides I wonder how the hacker was able to change the default fallback address mentioned in the article just like that.

[LeGaulois]

Decentralized exchanges are a better target for hackers and exploiters although their liquidity and volume is way smaller. There's no server and you can leave absolutely no trace behind you. It lowers the risks significantly for the hackers.

This is the total opposite, simply because when you remove a middleman you also remove all the security risks that come with. In a centralized exchange, the transactions are off-chain, and it uses centralized hot wallets, if we take a DEX like Bisq for example, you also remove the risks server-side, reverse engineering and so many other points.

The security is the first and worse problem for centralized exchanges and I can tell you a lot of them have flaws, hence why we see news every trimester to announce abcd website has been hacked

[figmentofmyass]

The full news is on coin desk,i will leave the link here for the people who is interested in this topic:

https://www.coindesk.com/hacker-exploits-flaw-in-decentralized-exchange-bisq-to-steal-250k

thanks for the link.

i guess this is the big worry with decentralized exchanges---that there is a vulnerability in the underlying software or smart contracts that thieves can exploit. bisq is still a big step up from etherdelta-style exchanges that rely on the DNS and centralized servers, but this is certainly an important threat to keep in mind.

[gentlemand]

Looks like the above statement is one of their major mistakes. They should have thoroughly audited the software before releasing it for serious transactions. That is a serious security flaw that shouldn't have been missed.

Holes are uncovered in software put together by the most competent teams in the world, sometimes after years of pain free use. I can't imagine Bisq's team is a big one or has a vast amount of time and money.

Somewhere out there is always someone looking to go up against your skills and a lot of times they'll succeed.

[20kevin20]

This is the total opposite, simply because when you remove a middleman you also remove all the security risks that come with. In a centralized exchange, the transactions are off-chain, and it uses centralized hot wallets, if we take a DEX like Bisq for example, you also remove the risks server-side, reverse engineering and so many other points.

The security is the first and worse problem for centralized exchanges and I can tell you a lot of them have flaws, hence why we see news every trimester to announce abcd website has been hacked

Well, I did not imply the fact that a centralized exchange is better! I haven't used one in so long.. I meant that decentralized ones are better targets because if you get to exploit one, there are smaller chances the hacker/exploiter would get caught especially because there is no middleman anymore and no central server. Besides this, I'm all in for DEXs obviously.

[figmentofmyass]

This is the total opposite, simply because when you remove a middleman you also remove all the security risks that come with. In a centralized exchange, the transactions are off-chain, and it uses centralized hot wallets, if we take a DEX like Bisq for example, you also remove the risks server-side, reverse engineering and so many other points.

but is the code vulnerable to exploitation? this issue really isn't much different than hot wallet vulnerabilities at custodial exchanges.

how many bisq users do you think are not only analyzing its code, but are capable of recognizing critical vulnerabilities? 0.001% of users? and that's a generous estimate. this creates a situation where users are trusting bisq's developers, just like they trust centralized exchanges to secure their coins.

almost every "DEX" has been exploited/hacked in some way by now, causing users to lose funds. it's probably appropriate to say all exchanges pose significant security risks to users, whether they are custodial or not. the primary advantage of using bisq isn't security---it's avoiding KYC.

[o_e_l_e_o]

this creates a situation where users are trusting bisq's developers, just like they trust centralized exchanges to secure their coins.

The same could be said of almost everything we use. Lots of people recommend using open source wallets such as Electrum, and for good reason. How do we know there isn't an as-of-yet undiscovered critical vulnerability in the Electrum code? How many people are capable of analyzing the code, and of that small minority, how many actually read through every line? Despite being open source, attackers were still able to exploit Electrum to display arbitrary messages and cause many users to download a fake version. How do we know there isn't a vulnerability in any other wallet, or a hardware wallet, or in Bitcoin Core, such as the critical inflation vulnerability which was patched in 0.16.3?

A decentralized exchange does provide some security benefits in that you do not have to deposit your coins in to their custodial wallets, but just because it is decentralized and open source doesn't mean it is immune from vulnerabilities. At the end of the day, a vulnerability was discovered, has been patched, and BISQ is more secure for it. I'm still far happier using BISQ than I am using any centralized exchange.

[hugeblack]

Can this act be considered as Hacking or (misuse of an error/ security vulnerability)? The hacker exploited a security vulnerability in the system but did not directly hack and withdraw the depositors ’money, meaning that you have to risk making a big deal with him/her to lose your money and not all the money.

In general, trust in centralized platforms is still better because, simply, we are still experiencing problems tracking hacked coins.

The Golden Rule: Don't do deals with huge sums.

[buwaytress]

The flaws pointed out in Bisq (or any other dex for that matter) may well be true, but I hardly think that centralised exchanges are any better. As pointed out above:

1. At least with DEX, you remove several points of vulnerability. With CEXs, you have additional worries of integrity of staff, who could steal from the company, or sell your personal data, or look at your funds. Or even give your info or hand over your funds, freeze your accounts, to your state revenue body. All this has happened before with CEXs.
2. Small team at Bisq volunteering their time to code and debug. All small software teams start out like this and only when the community gets bigger and helps find bugs do these occurrences get less frequent. Hackers will keep finding exploits. Even on open source, good software like Electrum, but the bugs are quickly fixed, and these guys tend to be more transparent about it. Does anyone still really know or understand what happened with high profile hacks at say, Mt Gox? Or Binance? Forget it.

[old fart]

How come a decentralised exchange got hacked?
Does it mean it is just decentralised on paper?

[gentlemand]

How come a decentralised exchange got hacked?
Does it mean it is just decentralised on paper?

Someone still has to develop software. Users have to run that software to use the service. That's where a hacker can inveigle their way in. Decentralised does not in any way mean hack proof.

[o_e_l_e_o]

How come a decentralised exchange got hacked?

It wasn't a "hack" in the same way that centralized exchanges get hacked. No one broke in to any servers, or bypassed any security, or stole any login details, or compromised any accounts. What happened instead was that an attacker took advantage of a bug in the code that no one else had picked up on yet to redirect expired trades to his own wallet.

As has been discussed above, every open source and decentralized project, even bitcoin itself, is subject to bugs and vulnerabilities which haven't been picked up by the community and are exploited by malicious parties.

[LeGaulois]

Just a reminder for folks who don't know know how secure is their 'preferred platform' to trade, or they think centralized platforms are better because more secure... the majority of them have a low level of security
Seeing the number of CEXs hacked and the millions that disappeared DEXs are very far to get this level. DEXs are also hacked but people are less likely to leave their coins on them.

out of the 140 exchanges we analyzed less than 40% of them are using headers like the Strict-Transport-Security header or the X-XSS-Protection header. 20% expose server information which isn’t a security vulnerability in itself but that clearly shows the low level of security best practices implemented. And 26% of them use frontend libraries with known vulnerabilities. Only 2% implemented a Content-Security-Policy that, if done well, can offer powerful protection against clickjacking or XSS

[khaled0111]

As pointed out above, any trading platform is subject to hacks doesn't matter whether it is centralized or decentralized.

The good thing is that, despite the low trade volume on their platform, bisq team announced that they will compensate the 7 victims from future revenues.