In brief An upgrade in Bisq’s software contained a critical flaw.

The flaw allowed a hacker to steal 3 Bitcoin and 4000 Monero from 7 traders.

Bisq issued a fix and promised to refund the victims from future revenues.

Bisq, a decentralized cryptocurrency exchange, announced on Tuesday that it had been hacked. Due to a flaw in its code, roughly $250,000 worth of Bitcoin (BTC) and Monero (XMR) were stolen. The exchange has since issued a fix along with a promise to fully refund the victims.

Bisq first alerted users to the problem in a tweet yesterday when it abruptly halted all trading on the platform. In a statement posted on the exchange's website Wednesday, Steve Jain, a contributor to the open-source project, explained that a hacker had exploited a critical vulnerability in the Bisq trading protocol, which allowed them to target individual trades to steal funds.

“We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims,” Jain said. "The only market affected was the XMR/BTC market, and all affected trades occurred over the past 12 days.”

Bisq launched four years ago. A peer-to-peer application, it allows users to buy and sell cryptocurrencies directly from each other in exchange for fiat currencies via a desktop client. The platform conducts no KYC checks, so users are able to remain private.

Centralized exchanges tend to store a small percentage of their funds in a server, or hot wallet, directly connected to the internet. Since Bisq is decentralized, there was no “honeypot” for the hacker to siphon.

“Affected users were those involved in active trades only,” Bisq said in a Twitter thread explaining the hack.

How the hack happened

Apparently, the attacker posed as a user selling BTC on the platform to take advantage of a vulnerability in the system.

The exchange requires sellers to lock any BTC being sold in a multi-signature escrow along with a security deposit. If a dispute arises and a mediator is unable to come up with a solution, the funds are sent to a fallback address, known as a “donation address.”

“This is meant to be a rare occurrence for extreme circumstances,” the exchange said in a tweet.

But in this event, the hacker was able to set the donation address to point to their own address. This allowed the hacker to claim the funds as their own.

“Rather than going to the legitimate owner, the digital assets arrived with the attacker, along with the buyer's payment and security deposit too,” the exchange said.

The software flaw that allowed this to happen was in an update released in late October. The new version was aimed at improving decentralization by removing trusted third parties in the multisig escrow used for Bitcoin trading funds. But the update backfired, allowing the hacker a foot in the door, so to speak.

Bisq said it planned to make good on the losses. "A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues," Jain explained.

“Security has always been a top priority for Bisq, but this incident shows it wasn’t perfect. The project is evaluating several approaches to strengthening security reviews and practices even more, and will detail them soon,” said Jain.

Luckily, the exchange isn’t truly decentralized then.

(Update on April 11: A previous version of this story referred to Bisq as a company. More correctly, it is an open-source project. In an email, Bisq told Decrypt the platform doesn't use smart contracts "at least not in a commonly understood sense of Ethereum smart contracts." So even though DAOs are typically associated with smart contracts, we removed that reference.)