From ad31ea360238e56d3e3cb3a08ad8d608bbf9fe08 Mon Sep 17 00:00:00 2001 From: m52go Date: Wed, 8 Apr 2020 08:51:46 -0400 Subject: [PATCH 1/6] Add post on security vulnerability --- ...-04-08-statement-security-vulnerability.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 _posts/2020-04-08-statement-security-vulnerability.md diff --git a/_posts/2020-04-08-statement-security-vulnerability.md b/_posts/2020-04-08-statement-security-vulnerability.md new file mode 100644 index 00000000..b365bf8d --- /dev/null +++ b/_posts/2020-04-08-statement-security-vulnerability.md @@ -0,0 +1,21 @@ +--- +layout: post +title: "Statement on Critical Security Vulnerability, April 08 2020" +author: Steve Jain +excerpt: "A flaw in the way Bisq trades are carried out was exploited in early April 2020.

" +en-only: true +--- + +About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims. This is the situation as we know it so far. The only market affected was the XMR/BTC market, and all affected trades occured over the past 12 days. + +Bisq v1.2, released in late October 2019, updated its trade protocol. It improved decentralization by removing arbitrators with a 3rd key in the multisig escrow used for bitcoin trading funds. These arbitrators were replaced with 2 new roles: mediators and arbitrators with **no keys** in the multisig escrow. With no more trusted third parties, the new trade protocol also required that trade parties move bitcoin trade funds to a Bisq “donation address” after a hard time limit in order to solve dead-locked trades. + +This donation address is set by the Bisq DAO and approved by DAO stakeholders. Bisq software did not verify that the payout address for trades was actually the Bisq donation address set by the DAO before signing and sending the time-locked payout TX to the trade counterparty. **In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P).** + +As soon as this attack was discovered, Bisq developers used the alert key to disable all trading on Bisq. The flaw in the trade protocol has been corrected in Bisq v1.3.0, and trading will resume once this hotfix is released. Bisq is properly peer-to-peer, so alert key functionality can be bypassed by users, but this is highly discouraged. + +A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims and make them whole, paying out from future trading revenues. + +Security has always been a top priority for Bisq, but this incident shows it wasn't perfect. The project is evaluating several approaches to strengthening security reviews and practices even more, and will detail them soon. + +The Bisq developer community sincerely apologizes. In the past 6 years, Bisq has never had to use the alert key to enable “safe mode” on Bisq nodes, and this is an unprecedented case for the Bisq DAO. From 8ccec2cb0da384dab9347551738d6631d1482546 Mon Sep 17 00:00:00 2001 From: m52go Date: Wed, 8 Apr 2020 08:57:09 -0400 Subject: [PATCH 2/6] Move date from title to permalink --- _posts/2020-04-08-statement-security-vulnerability.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/_posts/2020-04-08-statement-security-vulnerability.md b/_posts/2020-04-08-statement-security-vulnerability.md index b365bf8d..a51d9feb 100644 --- a/_posts/2020-04-08-statement-security-vulnerability.md +++ b/_posts/2020-04-08-statement-security-vulnerability.md @@ -1,9 +1,10 @@ --- layout: post -title: "Statement on Critical Security Vulnerability, April 08 2020" +title: "Statement on Critical Security Vulnerability" author: Steve Jain excerpt: "A flaw in the way Bisq trades are carried out was exploited in early April 2020.

" en-only: true +permalink: statement-security-vulnerability-april-2020 --- About 24 hours ago, we discovered that an attacker was able to exploit a flaw in the Bisq trade protocol, targeting individual trades in order to steal trading capital. We are aware of approximately 3 BTC and 4000 XMR stolen from 7 different victims. This is the situation as we know it so far. The only market affected was the XMR/BTC market, and all affected trades occured over the past 12 days. From 557aae2a80654e6cf4c8b39b2be919bed3ef8bf3 Mon Sep 17 00:00:00 2001 From: m52go Date: Wed, 8 Apr 2020 08:57:38 -0400 Subject: [PATCH 3/6] Change wording on payouts --- _posts/2020-04-08-statement-security-vulnerability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2020-04-08-statement-security-vulnerability.md b/_posts/2020-04-08-statement-security-vulnerability.md index a51d9feb..8a852d24 100644 --- a/_posts/2020-04-08-statement-security-vulnerability.md +++ b/_posts/2020-04-08-statement-security-vulnerability.md @@ -15,7 +15,7 @@ This donation address is set by the Bisq DAO and approved by DAO stakeholders. B As soon as this attack was discovered, Bisq developers used the alert key to disable all trading on Bisq. The flaw in the trade protocol has been corrected in Bisq v1.3.0, and trading will resume once this hotfix is released. Bisq is properly peer-to-peer, so alert key functionality can be bypassed by users, but this is highly discouraged. -A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims and make them whole, paying out from future trading revenues. +A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues. Security has always been a top priority for Bisq, but this incident shows it wasn't perfect. The project is evaluating several approaches to strengthening security reviews and practices even more, and will detail them soon. From d3aeb707f8e75edbbbbf332ae0e92e06b711aaef Mon Sep 17 00:00:00 2001 From: m52go Date: Wed, 8 Apr 2020 08:58:36 -0400 Subject: [PATCH 4/6] Change wording on years in operation --- _posts/2020-04-08-statement-security-vulnerability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2020-04-08-statement-security-vulnerability.md b/_posts/2020-04-08-statement-security-vulnerability.md index 8a852d24..197659aa 100644 --- a/_posts/2020-04-08-statement-security-vulnerability.md +++ b/_posts/2020-04-08-statement-security-vulnerability.md @@ -19,4 +19,4 @@ A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, tha Security has always been a top priority for Bisq, but this incident shows it wasn't perfect. The project is evaluating several approaches to strengthening security reviews and practices even more, and will detail them soon. -The Bisq developer community sincerely apologizes. In the past 6 years, Bisq has never had to use the alert key to enable “safe mode” on Bisq nodes, and this is an unprecedented case for the Bisq DAO. +The Bisq developer community sincerely apologizes. In the past 4 years of operating on mainnet, Bisq has never had to use the alert key to enable “safe mode” on Bisq nodes, and this is an unprecedented case for the Bisq DAO. From 81bef294364a1bd2ec398be28684413cda08532f Mon Sep 17 00:00:00 2001 From: m52go Date: Wed, 8 Apr 2020 09:05:34 -0400 Subject: [PATCH 5/6] Revise ending --- _posts/2020-04-08-statement-security-vulnerability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_posts/2020-04-08-statement-security-vulnerability.md b/_posts/2020-04-08-statement-security-vulnerability.md index 197659aa..fbd7f805 100644 --- a/_posts/2020-04-08-statement-security-vulnerability.md +++ b/_posts/2020-04-08-statement-security-vulnerability.md @@ -13,10 +13,10 @@ Bisq v1.2, released in late October 2019, updated its trade protocol. It improve This donation address is set by the Bisq DAO and approved by DAO stakeholders. Bisq software did not verify that the payout address for trades was actually the Bisq donation address set by the DAO before signing and sending the time-locked payout TX to the trade counterparty. **In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P).** -As soon as this attack was discovered, Bisq developers used the alert key to disable all trading on Bisq. The flaw in the trade protocol has been corrected in Bisq v1.3.0, and trading will resume once this hotfix is released. Bisq is properly peer-to-peer, so alert key functionality can be bypassed by users, but this is highly discouraged. +As soon as this attack was discovered, Bisq developers used the alert key to disable all trading on Bisq. The flaw in the trade protocol has been corrected in Bisq v1.3.0, now released. Bisq is properly peer-to-peer, so alert key functionality can be bypassed by users, but this is highly discouraged. A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues. Security has always been a top priority for Bisq, but this incident shows it wasn't perfect. The project is evaluating several approaches to strengthening security reviews and practices even more, and will detail them soon. -The Bisq developer community sincerely apologizes. In the past 4 years of operating on mainnet, Bisq has never had to use the alert key to enable “safe mode” on Bisq nodes, and this is an unprecedented case for the Bisq DAO. +In the past 4 years of operating on mainnet, Bisq has never had to use the alert key to enable “safe mode” on Bisq nodes, and this is an unprecedented case for the Bisq DAO. The Bisq developer community sincerely apologizes for this security failure. From c3587a0a739acb7be8e90ea66c655710ccbca2b2 Mon Sep 17 00:00:00 2001 From: m52go Date: Wed, 8 Apr 2020 09:08:58 -0400 Subject: [PATCH 6/6] Add link to 1.3 release --- _posts/2020-04-08-statement-security-vulnerability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2020-04-08-statement-security-vulnerability.md b/_posts/2020-04-08-statement-security-vulnerability.md index fbd7f805..d9d1919a 100644 --- a/_posts/2020-04-08-statement-security-vulnerability.md +++ b/_posts/2020-04-08-statement-security-vulnerability.md @@ -13,7 +13,7 @@ Bisq v1.2, released in late October 2019, updated its trade protocol. It improve This donation address is set by the Bisq DAO and approved by DAO stakeholders. Bisq software did not verify that the payout address for trades was actually the Bisq donation address set by the DAO before signing and sending the time-locked payout TX to the trade counterparty. **In plain words, this exploit was the result of a flaw in the way Bisq trades are carried out, not in the way funds are stored (i.e., there is no honeypot since Bisq is P2P).** -As soon as this attack was discovered, Bisq developers used the alert key to disable all trading on Bisq. The flaw in the trade protocol has been corrected in Bisq v1.3.0, now released. Bisq is properly peer-to-peer, so alert key functionality can be bypassed by users, but this is highly discouraged. +As soon as this attack was discovered, Bisq developers used the alert key to disable all trading on Bisq. The flaw in the trade protocol has been corrected in Bisq v1.3.0, [now released](https://github.com/bisq-network/bisq/releases/tag/v1.3.0). Bisq is properly peer-to-peer, so alert key functionality can be bypassed by users, but this is highly discouraged. A proposal will soon be created in the Bisq DAO, Bisq’s funding mechanism, that will aim to repay the 7 victims from future trading revenues.