P2P Bitcoin exchange Bisq is preparing a DAO reimbursement vote after an 11 BTC▲$65,807.00 exploit hit the trading platform.
Bisq, a privacy-focused decentralized peer-to-peer (P2P) Bitcoin exchange said in an X thread on Sunday, May 3, that an attacker stole about 11 BTC (around $876,000 based on Bitcoin’s current price) by abusing a small but nasty bug in its trading system.
Originally launched in 2014 as Bitsquare, the open-source desktop app was later renamed Bisq in 2017.
- It lets people buy and sell Bitcoin for fiat currencies or other crypto without KYC checks, which has made it one of the better-known privacy-focused Bitcoin trading apps.
- Trading happens over a peer-to-peer network, while deposits are held in 2-of-2 multisig wallets rather than by a central exchange account.
Read also: Bitcoin on May 4: BTC Price Hits $80K for First Time Since January
How Bisq Was Hacked
Bisq said the exploit came from a missing validation check that should have blocked bad input from the taker side of a trade.
Because the maker and taker are supposed to use the same miner fee, that bad number then moved through the transaction math. The multisig output was cut down to 0.001 BTC, while the rest of the funds were pushed into the taker’s change output, the platform says. The team said:
“In hindsight, this was a serious failure on our side. The mistake was not only the missing validation check. It was also failing to react early enough to the changing security landscape and the increasing practical relevance of AI-assisted vulnerability discovery.”
- The project said the final reimbursement model will be submitted as a proposal to the Bisq DAO, where BSQ stakeholders vote on project decisions.
- BSQ is a governance token, used to fund contributors and manage the network.
AI All Over the Place
While Bisq said it couldn’t prove the attacker used AI, its investigation made the idea look plausible. The team wrote:
“We cannot say with certainty, but based on our experience during the investigation we think it is likely. After the issue was discovered, one group of developers began manual code inspection to understand how the exploit could have happened.”
The project said the bug has been fixed and that a hotfix release is planned in the coming days too.
In April 2020, Bisq said a separate trade-protocol flaw led to about 3 BTC and 4,000 XMR▼$333.13 being stolen from seven victims, with the XMR/BTC market affected. Back then, the project also pointed to a DAO proposal to repay victims from future trading revenue.
Data from DefiLlama shows Bisq had over $10 million in monthly trading volume in April, implying roughly $65,000 to $130,000 in monthly trading fees, depending on whether users paid with discounted BSQ fees or regular BTC fees.
Read more: Strategy Pauses Bitcoin Purchases for First Time Since Late March: What’s Behind the Halt?
