The vulnerability exposed users’ bank details, names and addresses.
In its version 1.7.0, Bisq also made its bitcoin transactions more efficient.
The bitcoin exchange Bisq was updated to version 1.7.0, which includes the correction of a vulnerability that put the data of its users at risk. This was exposed by its developers recently, through their Twitter account.
Before the new version, the exchange process at Bisq included sharing bank details for verification, before agreeing to buy and sell bitcoin (BTC). A) Yes, Failures in the trading process were avoided due to erroneous data at the initial point of the exchange.
This approach made it possible for malicious peers to view a peer’s account data without engaging in an actual trade with the tampered Bisq software, it was (theoretically) possible to do so without incurring costs (fees, blocking on BTC).
Now, the exchange of account data occurs later in the process, after both parties have committed to the operation, with the exchange transaction carried out. “This creates a financial burden for a malicious peer trying to collect their trading peers’ account data,” the Bisq developers explain.
The vulnerability was found by the team at Haveno Protocol, a decentralized exchange that is being developed based partially on the Bisq code. According to the developers of this protocol, the vulnerability exposed not just account details, but names and “potentially home addresses”, They explained via Reddit.
From Bisq, they say not being aware that this vulnerability has been exploited at some point. In this regard, they assured that “such abuse would have led to failed operations and, on a large scale, Bisq support would have noticed trends in users who reported such a problem.”
More efficient transactions at Bisq
In addition to correcting the vulnerability, the update has sought to make transactions in Bisq more efficient. Previously, the hash of the trading contract (cryptographic function that identified that contract) was an OP_RETURN output from the BTC escrow operation.
The idea was that this function would represent a commitment from both parties to the contract, such as signing an agreement. However, this made the transactions heavier, with additional information on the Bitcoin blockchain.
This generated higher fees for miners and made Bisq’s transactions easier to track, more identifiable. This feature was removed in the move to version 1.7.0, exposed its developers.
Unlike other bitcoin exchanges, Bisq is decentralized. On this platform, the pairs trade with each other without Bisq custody of the bitcoins. The funds from the operation go to a multi-signature purse that releases them when both parties declare that the exchange was completed.
In addition, it does not require registration with personal data, and as reported by CriptoNoticias last April, the increase in transactions on the platform seems to reflect a growing interest of bitcoiners in their privacy.