Hacking a decentralised exchange: Bisq spills the secrets on their recent hack
A hacker has exploited a security vulnerability in the trading protocol of decentralised Bitcoin exchange Bisq, stealing around 3 BTC and 4000 XMR (~AUD$350,000 at time of writing).
Unlike conventional digital currency exchanges, Bisq is not a company, it is free software which enables a peer-to-peer network allowing users to connect with each other to implement the Bisq trading protocol.
The vulnerability which allowed the hack to take place was introduced with version 1.2 of the Bisq trading protocol, released in late October 2019. One aspect of this update required that bitcoin trade funds are automatically moved to a Bisq “donation address” after a hard time limit in order to resolve dead-locked trades. The donation address was set by the Bisq Decentralised Autonomous Organisation (DAO) and approved by DAO stakeholders via voting from time to time.
However, the Bisq software did not verify that the address for deadlocked trades was actually the Bisq donation address before signing and sending the time-locked payout TX to the trade counterparty. As a result, the attacker was able to set other users' default donation addresses – the destination to which crypto is sent to if a trade fails – to the attacker's own wallet. Posing as a seller, the attacker started a trade with a buyer then simply waited for the hard time limit to run out. Rather than going to the legitimate owner, the BTC or XMR to be traded was sent to the attacker, along with the legitimate buyer's payment and security deposit as well.
The exploit was discovered and trading halted on 8 April 2020, and a hotfix issued in Bisq v1.3.0 which is now live. Because of the decentralised peer-to-peer nature of the exchange, while Bisq could issue an alert key which temporarily suspended trading, users could override the suspension if they wished.
In a statement explaining how the hack took place, Bisq confirmed that a proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims of the hack from future trading revenues. This is an interesting example of community response to a software failure involving no lawyers, police or judicial action.
While decentralised exchanges are sometimes considered to be safer, or less of a target to hackers due to the lack of a centralised "honeypot" exchange wallet containing significant funds, this hack still serves as a timely reminder that minor lapses in security are all it takes for funds to be lost, even in a decentralised scenario.
Thankfully, Bisq appears to have taken the threat seriously, and promised that:
The project is evaluating several approaches to strengthening security reviews and practices even more, and will detail them soon.