Haveno rug pull (exit scam) possible with 2 bots

[OpenMonero]

Haveno arbiters can steal the entire liquidity from the retoswap order book. All you need is just 2 bots. Its crazy
Check out the article below to learn more about the Haveno exit scam scenario.
https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

A quote from the moderator of the Monero Forums, User: /u/monero_desk_support:

After some thoughts, I think you are right and that the arbitration system in Haveno doesn't prevent arbitrators from pulling the funds. They would need to create a bot that takes all the offers and automatically unlock the funds with the key of the taker and arbitrator (the attack would still need a good amount of xmr to fund every deposit, so for ex if they want to steal 1000xmr, they would need to provide about 250xmr, but they would have confidence in getting them back). It's a very possible scenario. Maybe it could be prevented by adding more arbitrators ? I need to check how the arbitrator is chosen exactly by the maker/taker.

Quote: /u/OpenMonero:

The Haveno network operators can steal much more if they invest 250 XMR, assuming the investment stays safe and comes back to the taker bots. Once the investment returns, the same taker bot can just do the same thing again. In theory, one taker bot with an amount of XMR equal to the highest maker security deposit could clear out the entire order book since its balance goes up with every completed trade. So, it’s really just a matter of time before the whole order book is wiped out. Even worse, if you’ve got multiple taker and arbiter bots working simultaneously, you could clear the whole order book in just a second. All you need.

The reason is that a shady arbiter bot backs the taker bot and will side with them in any disputes. Moreover, the arbiter bot can also hit all the market makers with penalties, taking away their 15% security deposits.

Just to point out, your example isn’t right because the security deposits from market makers are part of the pool too.

Check out my corrected examples below. If you invest 250 XMR, you could pull off a rug pull worth around half a million dollars, and unfortunately, the current liquidity (as of 22 Jan '25 23:00) makes it possible to steal nearly 900k.


EXAMPLE I
all maker offers: 1000 xmr (liquidity)
+ all maker security deposits: 150 xmr
+ all arbitration fees: 0 xmr
- all taker security deposits: 150 xmr (investment)
------------------------------------------
total: 1150 xmr x 233 usd = 267,950 usd (exit scam)


EXAMPLE II
all maker offers: 1,670 xmr (liquidity)
+ all maker security deposits: 250 xmr
+ all arbitration fees: 0 xmr
- all taker security deposits: 250 xmr (investment)
------------------------------------------
total: 1,920 xmr x 233 usd = 447,360 usd (exit scam)


EXAMPLE with data from https://haveno.markets/
all maker offers: 3,232 xmr (liquidity)
+ all maker security deposits: 484 xmr
+ all arbitration fees: 0 xmr
- all taker security deposits: 484 xmr (investment)
------------------------------------------
total: 3,716 xmr x 233 usd = 866,014 usd (exit scam)


NOTE: You don't really need to invest a lot to liquidate the entire order book and my examples are not necessary (unless you want to clear the order book in the first round) as the balance of each taker bot demonstrates substantial, logarithmic growth following each transaction. This is because taker bots always go for the highest maker offer in the pot first.

The moderator of the Monero Forums then replied, Quote: /u/monero_desk_support:

Thanks for the example. I acknowledge this is an issue.  

[NotATether]

Can this be solved by storing the escrow in a multi signature of some sort? I don't know if this is possible with Monero but if you have a 2 of 3 keys set up, then you'd require the taker and arbitrator (or maker and arbitrator) to send the funds by siding with one another.

Alternatively a rouge arbitrator can be bypassed if the maker and taker reach an agreement and transfer with their own keys.

Alternatively, number of arbitrations per 86400 seconds can be capped per bot, forcing more arbitrators to be brought online for the system to scale (and this makes this kind of attack unlikely).

The arbitrator would also need his own security deposit as insurance.

[logfiles]

I am trying to look for your thread on Reddit, but I do seem to located it. Can you share a link here?
I am also wondering what happened to your Announcement. Did you delete it due to the criticism your service received? I am just seeing the archived version, which can be found here - https://ninjastic.space/topic/5522702

[OpenMonero]

Quote by shoftwavesurfer2009:

Reto no longer *requires* a deposit. Sellers have the option to do a zero deposit trade with a randomly generated password and contact method of their choice.

Reference: https://primal.net/e/nevent1qvzqqqqqqyqzqlkt8rpcaquct5vjwtmrc9vg7ps3j0x5amqcaw2e8svvpj79cf59y50z5c

I engaged in a public discussion two days ago with the developer of Haveno, Woodser. Following my announcement regarding the rug pull issue, Reto implemented non-deposit offers immediately thereafter.

The non-deposit offer is a way to stop taker and arbiter bots from stealing all of Haveno's liquidity.

Issue discussion on nostr:
https://primal.net/e/nevent1qvzqqqqqqyqzqpg8r34v5d5z4ecxmc0c749cwjalaw4xu2ttpnh8zms0lhfepg450s7qlk

Note: The issue remains unresolved, as 99% of the order book consists of deposit offers. Moreover, the liquidity has not experienced any significant change and continues to exceed 3,000 XMR.
Source: https://haveno.markets

[OpenMonero]

woodsers (haveno developer) response:

a malicious arbitrator could attempt to take offers, hoping to be assigned trades and then unfairly award funds to themselves. however this risk can be mitigated by:

- a sufficient number of arbitrators - the best way to mitigate this risk is to have a sufficient number of honest arbitrators, so a dishonest arbitrator is unlikely to be assigned a trade before being detected and banned. this creates an economic incentive for arbitrators to act honestly and earn trade fees rather than risk exclusion
- arbitrator selection by the maker - the maker can select an arbitrator from a trusted list rather than relying on random assignment (the current default)
- trade limits per client - restricting the number of active trades or funds at risk per client further reduces potential damage from a dishonest arbitrator

in contrast, centralized exchanges like localmonero, openmonero, etc require full trust in the platform operators, because:

- they take full custody of traded funds and can easily steal them at that time
- reputation can be easily faked, so does not provide any guarantee of trustworthiness in trade partners
- they can collect and store sensitive trade details across all traders
- they're more likely to be shut down due to legal compliance, and you're left to find a new service

ultimately users should consider the trustworthiness of the haveno network they're using and its arbitrators, but these networks provide greater decentralization, privacy, and control of funds than centralized services, which are a single point of failure

link to woodser's response to prove i didnt make it up: matrix.to/#/!UuoWQWMGvPBHkIgWGJ:monero.social/$bVIMNjW1yEbdIHK-yEPuN-H2fXVmqEaXXLe4lgtuk68?via=monero.social&via=matrix.org&via=catgirl.cloud

Reference:  https://archive.ph/GsDsn
Reference: https://iris.to/note1v03qwh7q5vs4ffrfe6vewh02t3hxn7ngy7u6ectjduamzwagfgdqntugsy


OpenMonero response to Woodser haveno dev (haveno rug pull scenario)

a malicious arbitrator could attempt to take offers, hoping to be assigned trades and then unfairly award funds to themselves. however this risk can be mitigated by:

a sufficient number of arbitrators - the best way to mitigate this risk is to have a sufficient number of honest arbitrators, so a dishonest arbitrator is unlikely to be assigned a trade before being detected and banned. this creates an economic incentive for arbitrators to act honestly and earn trade fees rather than risk exclusion

I totally agree that individual arbiters need to act honestly so they don't get banned by the network operator. But honestly, that's not the main issue here. The real risk of a rug pull attack (or exit scam) doesn’t come from those individual arbiters, but from the network operator, whom we’ll call "Reto." Reto has the power to assign arbiter roles, which is where the problem lies.

The network operator is a single point of failure because he can create as many arbiter roles as he wants since he holds the admin key. Sure, Reto might give a few trusted individuals arbiter roles to make things look decentralized and transparent. But he could just as easily assign a bunch of roles to bots he controls. Plus, Reto would be in charge of all the taker bots, since anyone can jump in and be a taker. This setup lets Reto secure a two-thirds majority in any disputes that come up.

So, when it comes to pulling off an attack in this scenario, the odds are nearly 99.99% in favor of success. That’s because, when the attack happens, most of the arbiters and takers will likely be bots, all under Reto's control, making them the real weak link in the system.

arbitrator selection by the maker - the maker can select an arbitrator from a trusted list rather than relying on random assignment (the current default)

The network operator is probably going to kick out all the human arbiters before they carry out the rug pull. This means the makers won’t have any choice but to use arbiter bots. Plus, the makers won’t really have a chance to dispute anything because a taker bot will just send a fake "I have paid" message even though they haven't actually paid. Then, that taker bot will start a dispute, leaning on the arbiter bot to back them up and go after the maker's funds unfairly.

In the end, the arbiter will take the 15% security deposit from the maker, while the taker bot walks away with the trading funds and its own 15% security deposit. The key thing to remember here is that both the taker and arbiter bots are under the control of the network operator, so all that money ends up in their hands, leaving the maker with nothing.

trade limits per client - restricting the number of active trades or funds at risk per client further reduces potential damage from a dishonest arbitrator

If you try to limit how many active trades takers can have, it won’t really make a difference because anyone can be a taker. So, the network operator (or reto admin) could just set up as many taker bots as they need to get around those limits.

in contrast, centralized exchanges like localmonero, lm, etc require full trust in the platform operators, because they take full custody of traded funds and can easily steal them at that time

I totally agree with you that most p2p platforms (like centralized exchanges) usually hold full custody of the funds since they require pre-funding for trades. But OpenMonero is different because it doesn’t need sellers to fully fund their trades upfront thanks to its self-custodial trade funding setup. The platform can’t access all of the liquidity at once unless every seller decided to post their bonds at the same time, which is statistically improbable.

It’s also worth mentioning that LocalMonero used to lack the self-custodial trade funding option, meaning that seller funds were always at risk while they waited for trade requests. Right now, OpenMonero can only tap into a maximum of 2% of the total liquidity at any given time, unless every seller posts their externally funded bond at the same time, which remains statistically improbable.

So, we can say that OpenMonero acts like a centralized exchange, but the liquidity is actually decentralized thanks to the self-custodial trade settlements for buyers and self-custodial trade funding for sellers. I suggest checking out the examples on simplifiedprivacy.com for more insights, especially if you’re looking into advanced examples.

reputation can be easily faked, so does not provide any guarantee of trustworthiness in trade partners

No system is perfect, but it's fair to say that having a reputation system is definitely better than having no verification at all. It’s worth mentioning that faking a reputation system isn’t easy and it requires a lot of money and time. Sure, someone could try to create fake trades on OpenMonero, but the system can pick up on that pretty quickly (for ex, if someone makes 1000 trades in a short period, that would definitely raise some eyebrows)

Sellers/Buyers can also check users' Telegram handles through trusted sites like localmonero.co or confirm PGP keys from reliable sources, including LocalMonero and imported profiles.

Plus, you can’t do coin-locking on OpenMonero since sellers need to fund trades manually. It’s not an automated process like on networks like Haveno, which really helps to reduce the chances of exit scams. When it comes to offers on OpenMonero, they’re not fully funded right away. You only need 0.35 XMR to list an ad in the search results. This is mainly to fend off spam listings, but it can also help fund smaller trades. If a trade is bigger, sellers have the option to use an external, fully isolated wallet to fund the transaction and keep themselves safe from any potential scams right from the start.

they can collect and store sensitive trade details across all traders

I don’t have an admin panel to keep track of trades or messages, and users can set up self-destructing messages right after a trade or completely delete their accounts. This kind of feature probably wouldn’t work in decentralized systems since all data is saved on multiple nodes. Also, the OpenMonero wallet creates a new address every time you make a deposit to help keep your privacy intact.

they're more likely to be shut down due to legal compliance, and you're left to find a new service

My identity is kept private, and OpenMonero vendors don’t have to go through any KYC checks, which means we can totally work outside of regulations. This works because the platform isn't custodial, it's open-source, and you can access it via Tor hidden services and I2P. So, even if the clearnet domain gets taken down by the authorities, the exchange would still run smoothly. Anyone can self-host the frontend or even fork the code to make their own OpenMonero version. Plus, we’re working on a Nostr-based version that lets anyone become an escrow provider or self-host the frontend without needing any backend. This would make it super resistant to censorship. Check out the interview for more details!

ultimately users should consider the trustworthiness of the haveno network they're using and its arbitrators, but these networks provide greater decentralization, privacy, and control of funds than centralized services, which are a single point of failure

My vendors don’t really need to trust me because they don’t have to download any software or put down trading funds upfront to get trade requests (unlike Haveno). This really cuts down the chances of exit scams right from the start, and it keeps their personal files safe from malicious access. The OpenMonero web app runs smoothly in any browser and doesn’t connect to the user’s system, which is way different from Haveno that needs to be installed and has a daemon running all the time on your computer (definitely a recipe for keyloggers and shady auto updates). Plus, the built-in non-custodial wallet in Haveno isn’t very secure since malicious updates could come with keyloggers to snag your private keys. But with OpenMonero, vendors can fund their bonds using totally isolated wallets like Cake Wallet, Moneroju, Monero Wallet CLI, Feather Wallet, Trezor, and more.

The Haveno platform mainly looks out for the network operators, but it doesn’t really do much to protect market makers. This leaves them open to the risk of exit scams since the liquidity, the most important asset, is fully controlled by the network operator.

Also, let’s be clear: Haveno isn't truly decentralized. Accounts and order books don’t get shared between different Haveno instances, which creates a fragmented setup that’s kind of like a local network. The system would work a lot better if there was one big network where accounts and offers were merged from various instances instead of just having this isolated system run by a single operator. That’s not how decentralization should work.

When we talk about fund security, decentralization isn’t the most important factor. What really matters are things like how quickly trades get finalized, self-custodial trade settlements and self-custodial funding, along with a solid reputation system. Without a reputation system, there’s no trust between trading partners. Plus, if we don’t have self-custodial settlements or funding, the admin could easily run off with all the liquidity.

I’d love to keep the conversation going if you have any other points you want to bring up. I think Haveno does a pretty good job of protecting network operators, and I really appreciate that it’s open-source!

However I think OpenMonero is more safe (multi-sig vs self-custodial) and has 98% less risk of total liquidity being jeopardized at all times. The occurrence of exit scams is relatively low within this model.

[OpenMonero]

Can this be solved by storing the escrow in a multi signature of some sort? I don't know if this is possible with Monero but if you have a 2 of 3 keys set up, then you'd require the taker and arbitrator (or maker and arbitrator) to send the funds by siding with one another.

Alternatively a rouge arbitrator can be bypassed if the maker and taker reach an agreement and transfer with their own keys.

Alternatively, number of arbitrations per 86400 seconds can be capped per bot, forcing more arbitrators to be brought online for the system to scale (and this makes this kind of attack unlikely).

The arbitrator would also need his own security deposit as insurance.

Basically, the haveno network operator can give admin roles to both taker and arbiter bots, which lets them ignore any rules in place. This speeds up things a lot since there’s no need to put down a security deposit for each taker bot, allowing all maker funds to be unlocked right away. These bots only work on the API level, so they don't mess with the user interface.

Because of this, it doesn’t really matter if you set up limitations on the frontend or the public API; the admin bots will always be able to access the protected API endpoints. This access is key to getting around rules like security deposits, rate limits, or any other client-side requirements for takers or arbiters.

The admin bots won’t use the public API, since developers would catch any shady changes to it. Instead, they’ll send requests to a protected API run by the network operator on a low-cost VPS for about $5 USD. Only the admin bots (taker and arbiter) will have the keys to access this protected API. This API will basically look like the public API but will have tweaks to bypass all those rules. So, only the maker will use the public API and will have to follow its rules.

To make things work, all you really need is the admin key, a protected API, and a few VPS servers for the taker and arbiter bots. These taker bots will throw the admin keys into the headers of their requests. If a normal taker tries to hit up the protected API without the admin keys, the request won't work. It’s actually pretty simple, and it might have been overlooked because of that.

Also, it’s good to remember that multi-signature setups only make sense when there’s no admin or network operator. The operator is always a single point of failure and can sidestep any limits on the API using their admin keys.

If anyone has a solid reason why this wouldn’t actually work, I’d love to hear it. When someone has the admin keys for their network, they can pretty much do whatever they want and set the rules while everyone else has to follow along.

To wrap it up, everyone in the haveno network, the taker, the arbiter, and the maker will get a key in the multi-sig trade. But there's also a fourth key, called the "magic key" that can do a bunch of powerful things, some of which could be a bit risky.


Reference:  https://archive.ph/GsDsn
Thread:  https://primal.net/e/nevent1qvzqqqqqqyqzqpg8r34v5d5z4ecxmc0c749cwjalaw4xu2ttpnh8zms0lhfepg450s7qlk
Interview: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

[NotATether]

To wrap it up, everyone in the haveno network, the taker, the arbiter, and the maker will get a key in the multi-sig trade. But there's also a fourth key, called the "magic key" that can do a bunch of powerful things, some of which could be a bit risky.

That magic key sounds like it could be a security flaw. So why not just do away with those and require security deposits for all of the maker and taker bots on the network?

Does this kind of scam even work when security deposits are required?

Perhaps it the arbitration system should be modified so that arbitrators can only take on trades that are values at less XMR than what their security deposit is worth. Maximum one trade at a time, so that if they try to cheat at any point, it gets confiscated.

[dkbit98]

Haveno arbiters can steal the entire liquidity from the retoswap order book. All you need is just 2 bots. Its crazy
Check out the article below to learn more about the Haveno exit scam scenario.

I know Haveno forked from Bisq to make it work with monero, so does Bisq have the same issue like this or this is something unique to Haveno?
There is also Retoswap that is basically repacked Haveno so they probably applies to them as well.
I am not taking any sides here but this looks like a fight competition between OpenMonero and Haveno.

[OpenMonero]

No, bisq does not have the same rug pull issue since they use the bisq token and completely different multi-sig setup

Regarding Retoswap, there is a new topic here: https://bitcointalk.org/index.php?topic=5549663.0