Author

Topic: [2020-04-09] Hacker Exploits Flaw in Decentralized Exchange Bisq (Read 275 times)

hero member
Activity: 1806
Merit: 672
Is there any possibility that this could be an inside job? Like it is one of their devs who found the exploit or is even the one who have created the exploit to steal some crypto out of their users? I know this things could be a big possibility since its a its easier for them to get off a "hack" since they are decentralized but if we are talking about normal exchanges here like Binance or Cryptopia the government will be all over them.
hv_
legendary
Activity: 2534
Merit: 1055
Clean Code and Scale
I was checking the previous posts. A lot have been posted on dirty coins ending up at the decentralized exchanges and mixers. But we all ignore the fact that the majority of these dirty coins end up in mainstream exchanges such as ZB and Gate.io, which are operating 100% legally. Let me take the example of the coins from the PlusToken scam. An unbelievable 50% of the coins laundered so far from this scam ended up at Huobi, with smaller amounts being diverted to exchanges such as Upbit and OkEx.


No Huobi must delist Monero scam coin

Stop that shit
sr. member
Activity: 1988
Merit: 453
An unbelievable 50% of the coins laundered so far from this scam ended up at Huobi, with smaller amounts being diverted to exchanges such as Upbit and OkEx.

If a big exchange like Huobi knows there is laundered cryptocurrency stored in one of their accounts, then why aren't they freezing it?

I am not sure whether I have the answer. I guess it is the same case as what happened with the other scams. The scammers probably withdrew the funds (USDT or BTC) as soon as they were able to trade them, while the exchange admins found out later that these funds came from the scam. I don't think that they would allow the scammers to launder the funds, if the origin was known earlier. 

The point I am making here is that, it is not correct to blame the DEX sites for laundering the funds from hacks and scams.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
An unbelievable 50% of the coins laundered so far from this scam ended up at Huobi, with smaller amounts being diverted to exchanges such as Upbit and OkEx.

If a big exchange like Huobi knows there is laundered cryptocurrency stored in one of their accounts, then why aren't they freezing it?
sr. member
Activity: 1988
Merit: 453
I was checking the previous posts. A lot have been posted on dirty coins ending up at the decentralized exchanges and mixers. But we all ignore the fact that the majority of these dirty coins end up in mainstream exchanges such as ZB and Gate.io, which are operating 100% legally. Let me take the example of the coins from the PlusToken scam. An unbelievable 50% of the coins laundered so far from this scam ended up at Huobi, with smaller amounts being diverted to exchanges such as Upbit and OkEx.

hv_
legendary
Activity: 2534
Merit: 1055
Clean Code and Scale
@Lucius. I did not quote my own post. It was hv_. I quoted him with my post quoted, however. Edited hehehe.

@stompix. Bisq is closer to the definition of decentralized than the scam decentralized exchanges created on Ethereum. It was mentioned one of them would begin asking for KYC hehehe.

I love anyone who tries to implement a DEX and anyone who knows Bisq or has spoken to them know that they've never claimed to be fully decentralised, but they endeavour to be more and more, as much as possible. I also have a special dislike for DEXs that aren't anything but non-custodial functions but the reality is, there is no such way right now to have a "purely decentralised" exchange, at least not in the beginning. Bisq is as close as it gets for me, without getting too far out of reach for non teccies.

DEX , DeFi, ICO, Mixers, all to scam average Joes. It only helps whales, manipulators, scammers, criminals

Reminds me on the pets.coms from dot com bubble
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
@Lucius. I did not quote my own post. It was hv_. I quoted him with my post quoted, however. Edited hehehe.

@stompix. Bisq is closer to the definition of decentralized than the scam decentralized exchanges created on Ethereum. It was mentioned one of them would begin asking for KYC hehehe.

I love anyone who tries to implement a DEX and anyone who knows Bisq or has spoken to them know that they've never claimed to be fully decentralised, but they endeavour to be more and more, as much as possible. I also have a special dislike for DEXs that aren't anything but non-custodial functions but the reality is, there is no such way right now to have a "purely decentralised" exchange, at least not in the beginning. Bisq is as close as it gets for me, without getting too far out of reach for non teccies.
legendary
Activity: 3122
Merit: 1492
@Lucius. I did not quote my own post. It was hv_. I quoted him with my post quoted, however. Edited hehehe.

@stompix. Bisq is closer to the definition of decentralized than the scam decentralized exchanges created on Ethereum. It was mentioned one of them would begin asking for KYC hehehe.
legendary
Activity: 2268
Merit: 18748
As soon as the person moved the BTC they received to a third party it was frozen cos it was nicked.
Given the kind of ridiculously invasive questions big exchanges are asking as part of their KYC processes - where did your fiat/bitcoin come from, where is it going, what are you going to spend it on, what's your job, what's your income, etc. - using an exchange to "mix" coins, even if they don't require KYC, is just asking for your account to be frozen and your coins confiscated.

I have also disabled updates and a lot of other things, does that make w10 open-source ?
That is neither here nor there. The developers of BISQ did not, and are not able to, unilaterally shut it down or prevent users from trading, unlike centralized exchanges. They issued a warning, but users could continue to trade if they wanted to.

From the link you've posted:
They have a conflict resolution method. That's not the same as having complete control over the trades like a centralized exchange does.
hv_
legendary
Activity: 2534
Merit: 1055
Clean Code and Scale
Centralized systems were being perfected for generation, and it will take decades for decentralized systems to get to their level.

Centralised systems will always have whining, peer pressure and lawsuits to fall back on. That's why decentralisation for services is a lovely idea that most people will prefer to leave on the shelf.

The only place it'll fly is in services that can't operate any other way. If there's a centralised service the average customer will gravitate towards that out of instinct.

Open PoW mining system are already decentralized enough, even better when no dev / central governance team is in power

... wait, the protocol was set in stone. When ?
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
Centralized systems were being perfected for generation, and it will take decades for decentralized systems to get to their level.

Centralised systems will always have whining, peer pressure and lawsuits to fall back on. That's why decentralisation for services is a lovely idea that most people will prefer to leave on the shelf.

The only place it'll fly is in services that can't operate any other way. If there's a centralised service the average customer will gravitate towards that out of instinct.
legendary
Activity: 3024
Merit: 2148
All these big hacks of decentralized systems that started with early Bitcoin bugs, then the DAO and now countless other protocols, they just show how immature the decentralized tech still is. Bitcoin is the most developed decentralized protocol out there, and there are still security bugs being found sometimes, so it's not surprising that systems like DEXs that emerged only a few years ago are getting problems like this one.

Centralized systems were being perfected for generation, and it will take decades for decentralized systems to get to their level.
legendary
Activity: 2912
Merit: 6403
Blackjack.fun
Everything is decentralized, but they have a kill switch
It's not a kill switch. They used a function called the "alert key" which alerts all user and implements a "soft" disable of trading, but since it is peer-to-peer, users can choose to ignore and override this disable if they want.

I have a ....special  Grin...w10 on one of my laptops.
I have also disabled updates and a lot of other things, does that make w10 open-source ?  Cheesy

and most important, they have control over the trades
Can you elaborate? In what way do BISQ have control over trades?

From the link you've posted:

Quote
With no more trusted third parties, the new trade protocol also required that trade parties move bitcoin trade funds to a Bisq “donation address” after a hard time limit in order to solve dead-locked trades.
This donation address is set by the Bisq DAO and approved by DAO stakeholders.
It doesn't smell like no control to me.

https://docs.bisq.network/user-dao-intro#ensure-honesty-in-high-trust-roles
Yeah, decentralization where if you have enough accounts and money you can buy centralization.
True decentralization is a utopia, just like socialism, it will work as long as there are no humans involved.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Statement here: https://bisq.network/statement-security-vulnerability-april-2020
They are releasing a proposal to refund the money lost via the BISQ DAO.

I posted that same link and answer on stompix question, few hours before your post...



bbc.reporter, is it necessary that you quote OP since you posted it? Also, for members who have slow or limited internet, it is advisable to resize images for faster loading and saving data traffic.

Code:
[img width=250 height=250]https://bisq.network/images/bisq-og.jpg[/img]



I think the most important thing is that the victims will get their funds back, although it is not specified in what timeframe - the whole procedure depends on trading revenues.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
I reckon something similar can be said on centralized exchanges also. It appears that many of the bitcoins used in the darknet are sent to them for mixing? I hope they did not give personal information hehehe.

That analysis is mind blowing. I can't believe people are that stupid. Even if they think they got away with it there may be a day when they're retrospectively hammered up the bum.

I remember a thread somewhere about swapping Monero for BTC on Bisq. As soon as the person moved the BTC they received to a third party it was frozen cos it was nicked.
legendary
Activity: 3122
Merit: 1492


Decentral exchanges are classified as mixers -> high risk!

Dont get average Joe to put his clean coins into for sake of criminals washing their shit!

I reckon something similar can be said on centralized exchanges also. It appears that many of the bitcoins used in the darknet are sent to them for mixing? I hope they did not give personal information hehehe.



Source https://blog.chainalysis.com/reports/darknet-markets-cryptocurrency-2019
legendary
Activity: 2268
Merit: 18748
Everything is decentralized, but they have a kill switch
It's not a kill switch. They used a function called the "alert key" which alerts all user and implements a "soft" disable of trading, but since it is peer-to-peer, users can choose to ignore and override this disable if they want.

they can modify the code when they see fit
Well, sure. They are the developers. The code is open source though. Don't like the changes? Don't download the update.

and most important, they have control over the trades
Can you elaborate? In what way do BISQ have control over trades?

And nothing in the article or on their channel about the money lost...
Statement here: https://bisq.network/statement-security-vulnerability-april-2020

They are releasing a proposal to refund the money lost via the BISQ DAO.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
What is actually tragicomic is the fact that the hack happened due to an upgrade, which was obviously not checked before it was implemented. Such things should not happen to professionals who want to prove themselves in one very competitive world of cryptocurrency trading. No KYC is great for most people, but hacking and very poor liquidity are definitely not in favor of DEX.

I've yet to see one remotely convincing and this is yet another one to slap upside the head.

I'd really want to see something properly on chain or in a core wallet and a fundamental part of the protocol before starting to feel confident about one. Even then I'm not sure enough people will ever be able to let go of having their hand held. But I'd rather know I was being watched from afar from the off rather than having it sprung on me like this.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
What is actually tragicomic is the fact that the hack happened due to an upgrade, which was obviously not checked before it was implemented. Such things should not happen to professionals who want to prove themselves in one very competitive world of cryptocurrency trading. No KYC is great for most people, but hacking and very poor liquidity are definitely not in favor of DEX.

And nothing in the article or on their channel about the money lost...

If you mean the amount of money stolen, this is stated in the article, ETFbitcoin is quoted that part, but what I was wondering is Bisq has any intention or ability to compensate the victims for the damage and this seems to be the case based on this statement :

A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues.
hero member
Activity: 3164
Merit: 937
In the current cryptocurrency industry "decentralized exchange" is a buzz term.Everyone thinks this is cool and innovative and this has to be the FUTURE of cryptocurrency trading,yet there's no good example of a successful dex platform.Many scammers would use that term to create scam projects and manipulate the newbies into investing coins in their "decentralized exchanges".
I've never heard about Bisq,so I guess that their source code and security are far beyond perfect. Sad
hero member
Activity: 1344
Merit: 540
Here is Bisq official statement:

Quote
TLDR of the critical security vulnerability.

Affected users were those involved in active trades only.

The flaw had to do with the way Bisq trades are carried out, not in the way funds are stored.

https://twitter.com/bisq_network/status/1247898001915297801

Release a fix in v1.3.1

https://github.com/bisq-network/bisq/releases/tag/v1.3.1
legendary
Activity: 2912
Merit: 6403
Blackjack.fun
Quote
Bisq, which allows users to exchange crypto anonymously, abruptly disabled trading late Tuesday night after it uncovered "a critical security vulnerability."

I love those so-called decentralized exchanges...
Everything is decentralized, but they have a kill switch, they can modify the code when they see fit and most important, they have control over the trades, otherwise, this wouldn't have happened...

Quote
To carry out the thefts, the attacker was able to set other users' default fallback address – the destination to which crypto is sent to if a trade fails – to their own.

If this is being decentralized then even a hypermarket is decentralized, you can go and buy one brand of milk or another at what prices the brand sees fit, it doesn't matter that the store is in charge of the transactions, refund and that it can shut down everything, is decentralized because...they advertise it like that.

And nothing in the article or on their channel about the money lost...



hero member
Activity: 1344
Merit: 540
Yes, there could be no censorship, but it doesn't mean that it is pseudo anonymous per se, they can still link your bisq transaction and not good for privacy.

@ hv_  - I wouldn't categorically say that Bisq is a mixer though, but your coins can be flagged by centralised exchanges if you tried to deposit to them because of "Bisq fingerprint".
legendary
Activity: 2576
Merit: 1860
And all this time, centralized exchanges are heavily criticized for being such, for requiring KYC, for handling people's money and personal identities, for falling prey to hackers, and so on. Time and time again, we are reminded not to leave our cryptocurrencies in these exchange wallets because it is not safe. It turns out even decentralized exchanges are no better. Hackers are targeting both.

By the way, are these hacks limited to IOC (Immediate Or Cance) or FOK (Fill or Kill) orders? Because the attackers are waiting for the time limit to run out.
hv_
legendary
Activity: 2534
Merit: 1055
Clean Code and Scale
A small commentary.

This is the type of power decentralization a real dex gives everyone as an equalizer. This is also what the people sitting on the very top do not want you to know. They want to have all this power only for themselves under the present system.



In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX's associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.

"Anyone can use Bisq, there is no censorship," the developer said. "Just like anyone can use bitcoin, there is no way to ban someone from bitcoin."


Read in full https://www.coindesk.com/hacker-exploits-flaw-in-decentralized-exchange-bisq-to-steal-250k

Decentral exchanges are classified as mixers -> high risk!

Dont get average Joe to put his clean coins into for sake of criminals washing their shit!
legendary
Activity: 3122
Merit: 1492
A small commentary.

This is the type of power decentralization a real dex gives everyone as an equalizer. This is also what the people sitting on the very top do not want you to know. They want to have all this power only for themselves under the present system.



In most cases of an exchange hack, the attacker can be booted off the trading platform for good. Not so with Bisq. One of the DEX's associated developers told CoinDesk that although the flaw was fixed, there was nothing to prevent the attacker – whose identity cannot be known – from accessing and trading on the platform again.

"Anyone can use Bisq, there is no censorship," the developer said. "Just like anyone can use bitcoin, there is no way to ban someone from bitcoin."


Read in full https://www.coindesk.com/hacker-exploits-flaw-in-decentralized-exchange-bisq-to-steal-250k
Jump to: