Bisq

On April 7, 2020, Bisq, a peer-to-peer decentralized exchange, was exploited, resulting in the theft of approximately $250,000, comprising 3 BTC and 4,000 XMR from seven victims in the XMR/BTC market, as reported by Bisq’s official statement. Detected at 12:00 UTC, the attack exploited a flaw in Bisq’s v1.2 trade protocol, introduced in October 2019, which removed arbitrators from multisig escrow and required trade funds to move to a DAO-set donation address after a time limit. The protocol failed to verify the payout address as the legitimate donation address, allowing attackers to redirect funds, per the article. Bisq, with $1 million daily trading volume per CoinGecko, disabled trading using its alert key, released a fix in v1.3.0, and warned users against bypassing the alert, per Twitter (@bisq_network).

A Bisq DAO proposal was planned to compensate victims from future revenues, though no immediate repayments occurred, per the article. No attacker identities were disclosed, and funds remained unrecovered by April 2020. One of 208 crypto hacks in 2020 costing $3.7 billion, per Chainalysis, this incident, alongside KuCoin’s $280 million loss, highlighted trade protocol vulnerabilities, fueling calls for rigorous protocol audits, enhanced payout verification, and decentralized governance improvements to secure P2P exchanges.