A hacker took advantage of a remarkable software flaw for the theft of users’ cryptocurrency worth over $250k from the Decentralized exchange (DEX) Bisq.

Due to this, the exchange had to disable trading in an abrupt manner yesterday night following the discovery of the critical security risk.

However, Bisq did not mention the kind of flaw and did not ascertain the safety of users’ funds. The exchange said the action taken when the exploit was discovered was unprecedented.

According to Bisq, the hacker stole about 3 Bitcoins and 4,000 XMR from 7 different victims. The 3 Bitcoins stolen was valued at about $22k while the monero was valued at $230k, as at the time of writing. That is, the aggregated value is over $250k.

The theft process involved setting other users’ default fallback address to receive cryptocurrency in the event of trade failure. The hacker poses as a seller and initiates a trade with a buyer and eventually waits for the time limit to run out. The cryptocurrencies will not go to the rightful owner but to the attacker, together with the payment and security deposit of the buyer.

The flaw that the hacker exploited was due to the latest update to the exchange’s trading protocol. The purpose of the update was to enhance decentralization and eliminate trusted third parties from the platform. The exchange was able to fix the flaw by 12:00 (UTC) on April 8 before it informed users of trade resumption.

Bisq’s platform which was introduced at the end of 2018 works similarly as other DEXs. However, it allows anonymous trading as there is no need to register or verify identity requirements.

Due to the platform’s dependence on a distributed network, every user acts as a node. Despite the trading suspension, Bisq’s decentralized nature means it is possible for users to override the suspension if desired.