Bisq v1 has experienced an exploit in its trade protocol that allowed an attacker to drain a portion of available offers.
The impact is limited to offers that were actively taken by the attacker. Funds held in users’ Bisq Bitcoin wallets are not affected.
As an immediate mitigation, an emergency mechanism was activated to disable trading by setting the required trading version to 2.0.0 — a version that does not exist. This effectively prevents the attacker from continuing the exploit.
The attack appears to have started on May 1 in the early morning hours. We are continuing to investigate the full extent of the damage. Users with trades initiated on or after this time are advised to open mediation by selecting the trade and pressing Ctrl + O. A mediator will assess whether their trade was affected.
Preliminary investigation indicates that the attacker exploited a missing validation check using a modified client. We are working to reliably reproduce the issue and verify a fix. Once confirmed, we will release a hotfix based on the latest stable version. In parallel, we are conducting a comprehensive security review to identify any related or additional vulnerabilities.
For affected users, we are actively evaluating reimbursement options. We recognize that both the exploit and our response are critical to Bisq’s integrity, and we are dedicating all available resources to finding a solution that helps restore confidence.
Bisq 2, with the Bisq Easy trade protocol, is not affected. It is a separate codebase with a fundamentally different protocol design.
We will continue to provide updates through our official communication channels, including Matrix, the Bisq Forum, Telegram, Reddit, X, and Nostr.
We sincerely apologize for the impact this incident has had on our users. We are fully committed to addressing both the root cause and its consequences.
BEWARE OF SCAMMERS
Worried users will be more vulnerable to scammers posing as support agents.
