[2020-04-09] Hacker Exploits Flaw in Decentralized Exchange Bisq

[bbc.reporter]

A small commentary.

This is the type of power decentralization a real dex gives everyone as an equalizer. This is also what the people sitting on the very top do not want you to know. They want to have all this power only for themselves under the present system.



In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX's associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.

"Anyone can use Bisq, there is no censorship," the developer said. "Just like anyone can use bitcoin, there is no way to ban someone from bitcoin."

Read in full https://www.coindesk.com/hacker-exploits-flaw-in-decentralized-exchange-bisq-to-steal-250k

[hv_]

A small commentary.

This is the type of power decentralization a real dex gives everyone as an equalizer. This is also what the people sitting on the very top do not want you to know. They want to have all this power only for themselves under the present system.



In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX's associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.

"Anyone can use Bisq, there is no censorship," the developer said. "Just like anyone can use bitcoin, there is no way to ban someone from bitcoin."

Read in full https://www.coindesk.com/hacker-exploits-flaw-in-decentralized-exchange-bisq-to-steal-250k

Decentral exchanges are classified as mixers -> high risk!

Dont get average Joe to put his clean coins into for sake of criminals washing their shit!

[Darker45]

And all this time, centralized exchanges are heavily criticized for being such, for requiring KYC, for handling people's money and personal identities, for falling prey to hackers, and so on. Time and time again, we are reminded not to leave our cryptocurrencies in these exchange wallets because it is not safe. It turns out even decentralized exchanges are no better. Hackers are targeting both.

By the way, are these hacks limited to IOC (Immediate Or Cance) or FOK (Fill or Kill) orders? Because the attackers are waiting for the time limit to run out.

[cryptomaniac_xxx]

Yes, there could be no censorship, but it doesn't mean that it is pseudo anonymous per se, they can still link your bisq transaction and not good for privacy.

@ hv_  - I wouldn't categorically say that Bisq is a mixer though, but your coins can be flagged by centralised exchanges if you tried to deposit to them because of "Bisq fingerprint".

[stompix]

Bisq, which allows users to exchange crypto anonymously, abruptly disabled trading late Tuesday night after it uncovered "a critical security vulnerability."

I love those so-called decentralized exchanges...
Everything is decentralized, but they have a kill switch, they can modify the code when they see fit and most important, they have control over the trades, otherwise, this wouldn't have happened...

To carry out the thefts, the attacker was able to set other users' default fallback address – the destination to which crypto is sent to if a trade fails – to their own.

If this is being decentralized then even a hypermarket is decentralized, you can go and buy one brand of milk or another at what prices the brand sees fit, it doesn't matter that the store is in charge of the transactions, refund and that it can shut down everything, is decentralized because...they advertise it like that.

And nothing in the article or on their channel about the money lost...

[cryptomaniac_xxx]

Here is Bisq official statement:

TLDR of the critical security vulnerability.

Affected users were those involved in active trades only.

The flaw had to do with the way Bisq trades are carried out, not in the way funds are stored.

https://twitter.com/bisq_network/status/1247898001915297801

Release a fix in v1.3.1

https://github.com/bisq-network/bisq/releases/tag/v1.3.1

[davis196]

In the current cryptocurrency industry "decentralized exchange" is a buzz term.Everyone thinks this is cool and innovative and this has to be the FUTURE of cryptocurrency trading,yet there's no good example of a successful dex platform.Many scammers would use that term to create scam projects and manipulate the newbies into investing coins in their "decentralized exchanges".
I've never heard about Bisq,so I guess that their source code and security are far beyond perfect.

[Lucius]

What is actually tragicomic is the fact that the hack happened due to an upgrade, which was obviously not checked before it was implemented. Such things should not happen to professionals who want to prove themselves in one very competitive world of cryptocurrency trading. No KYC is great for most people, but hacking and very poor liquidity are definitely not in favor of DEX.

The flaw in question came as part of a recent update to the trading protocol, which was designed to improve decentralization and remove trusted third parties from the platform.

And nothing in the article or on their channel about the money lost...

If you mean the amount of money stolen, this is stated in the article, ETFbitcoin is quoted that part, but what I was wondering is Bisq has any intention or ability to compensate the victims for the damage and this seems to be the case based on this statement :

A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues.

[gentlemand]

What is actually tragicomic is the fact that the hack happened due to an upgrade, which was obviously not checked before it was implemented. Such things should not happen to professionals who want to prove themselves in one very competitive world of cryptocurrency trading. No KYC is great for most people, but hacking and very poor liquidity are definitely not in favor of DEX.

I've yet to see one remotely convincing and this is yet another one to slap upside the head.

I'd really want to see something properly on chain or in a core wallet and a fundamental part of the protocol before starting to feel confident about one. Even then I'm not sure enough people will ever be able to let go of having their hand held. But I'd rather know I was being watched from afar from the off rather than having it sprung on me like this.

[o_e_l_e_o]

Everything is decentralized, but they have a kill switch

It's not a kill switch. They used a function called the "alert key" which alerts all user and implements a "soft" disable of trading, but since it is peer-to-peer, users can choose to ignore and override this disable if they want.

they can modify the code when they see fit

Well, sure. They are the developers. The code is open source though. Don't like the changes? Don't download the update.

and most important, they have control over the trades

Can you elaborate? In what way do BISQ have control over trades?

And nothing in the article or on their channel about the money lost...

Statement here: https://bisq.network/statement-security-vulnerability-april-2020

They are releasing a proposal to refund the money lost via the BISQ DAO.

[bbc.reporter]

Decentral exchanges are classified as mixers -> high risk!

Dont get average Joe to put his clean coins into for sake of criminals washing their shit!

I reckon something similar can be said on centralized exchanges also. It appears that many of the bitcoins used in the darknet are sent to them for mixing? I hope they did not give personal information hehehe.



Source https://blog.chainalysis.com/reports/darknet-markets-cryptocurrency-2019

[gentlemand]

I reckon something similar can be said on centralized exchanges also. It appears that many of the bitcoins used in the darknet are sent to them for mixing? I hope they did not give personal information hehehe.

That analysis is mind blowing. I can't believe people are that stupid. Even if they think they got away with it there may be a day when they're retrospectively hammered up the bum.

I remember a thread somewhere about swapping Monero for BTC on Bisq. As soon as the person moved the BTC they received to a third party it was frozen cos it was nicked.

[Lucius]

Statement here: https://bisq.network/statement-security-vulnerability-april-2020
They are releasing a proposal to refund the money lost via the BISQ DAO.

I posted that same link and answer on stompix question, few hours before your post...


bbc.reporter, is it necessary that you quote OP since you posted it? Also, for members who have slow or limited internet, it is advisable to resize images for faster loading and saving data traffic.

Code:

[img width=250 height=250]https://bisq.network/images/bisq-og.jpg[/img]

I think the most important thing is that the victims will get their funds back, although it is not specified in what timeframe - the whole procedure depends on trading revenues.

[stompix]

Everything is decentralized, but they have a kill switch

It's not a kill switch. They used a function called the "alert key" which alerts all user and implements a "soft" disable of trading, but since it is peer-to-peer, users can choose to ignore and override this disable if they want.

I have a ....special  ...w10 on one of my laptops.
I have also disabled updates and a lot of other things, does that make w10 open-source ?  

and most important, they have control over the trades

Can you elaborate? In what way do BISQ have control over trades?

From the link you've posted:

With no more trusted third parties, the new trade protocol also required that trade parties move bitcoin trade funds to a Bisq “donation address” after a hard time limit in order to solve dead-locked trades.
This donation address is set by the Bisq DAO and approved by DAO stakeholders.

It doesn't smell like no control to me.

https://docs.bisq.network/user-dao-intro#ensure-honesty-in-high-trust-roles
Yeah, decentralization where if you have enough accounts and money you can buy centralization.
True decentralization is a utopia, just like socialism, it will work as long as there are no humans involved.

[hatshepsut93]

All these big hacks of decentralized systems that started with early Bitcoin bugs, then the DAO and now countless other protocols, they just show how immature the decentralized tech still is. Bitcoin is the most developed decentralized protocol out there, and there are still security bugs being found sometimes, so it's not surprising that systems like DEXs that emerged only a few years ago are getting problems like this one.

Centralized systems were being perfected for generation, and it will take decades for decentralized systems to get to their level.

[gentlemand]

Centralized systems were being perfected for generation, and it will take decades for decentralized systems to get to their level.

Centralised systems will always have whining, peer pressure and lawsuits to fall back on. That's why decentralisation for services is a lovely idea that most people will prefer to leave on the shelf.

The only place it'll fly is in services that can't operate any other way. If there's a centralised service the average customer will gravitate towards that out of instinct.

[hv_]

Centralized systems were being perfected for generation, and it will take decades for decentralized systems to get to their level.

Centralised systems will always have whining, peer pressure and lawsuits to fall back on. That's why decentralisation for services is a lovely idea that most people will prefer to leave on the shelf.

The only place it'll fly is in services that can't operate any other way. If there's a centralised service the average customer will gravitate towards that out of instinct.

Open PoW mining system are already decentralized enough, even better when no dev / central governance team is in power

... wait, the protocol was set in stone. When ?

[o_e_l_e_o]

As soon as the person moved the BTC they received to a third party it was frozen cos it was nicked.

Given the kind of ridiculously invasive questions big exchanges are asking as part of their KYC processes - where did your fiat/bitcoin come from, where is it going, what are you going to spend it on, what's your job, what's your income, etc. - using an exchange to "mix" coins, even if they don't require KYC, is just asking for your account to be frozen and your coins confiscated.

I have also disabled updates and a lot of other things, does that make w10 open-source ?

That is neither here nor there. The developers of BISQ did not, and are not able to, unilaterally shut it down or prevent users from trading, unlike centralized exchanges. They issued a warning, but users could continue to trade if they wanted to.

From the link you've posted:

They have a conflict resolution method. That's not the same as having complete control over the trades like a centralized exchange does.

[bbc.reporter]

@Lucius. I did not quote my own post. It was hv_. I quoted him with my post quoted, however. Edited hehehe.

@stompix. Bisq is closer to the definition of decentralized than the scam decentralized exchanges created on Ethereum. It was mentioned one of them would begin asking for KYC hehehe.

[buwaytress]

@Lucius. I did not quote my own post. It was hv_. I quoted him with my post quoted, however. Edited hehehe.

@stompix. Bisq is closer to the definition of decentralized than the scam decentralized exchanges created on Ethereum. It was mentioned one of them would begin asking for KYC hehehe.

I love anyone who tries to implement a DEX and anyone who knows Bisq or has spoken to them know that they've never claimed to be fully decentralised, but they endeavour to be more and more, as much as possible. I also have a special dislike for DEXs that aren't anything but non-custodial functions but the reality is, there is no such way right now to have a "purely decentralised" exchange, at least not in the beginning. Bisq is as close as it gets for me, without getting too far out of reach for non teccies.