Just gonna add my own thoughts to this one.. The exchange got hit basically the only place it could, and that seriously sucks. The amount stolen was a huge (20-25%) of the daily volume, so it's so it's going to have a pretty significant impact on both Monero's ecosystem and the exchange itself.
Terrible situation overall. Hopefully it recovers soon.
Neophyte-Platinum | QC: CT 200, CC 106, PRL 365 months ago
this is actually good for xmr, why do you think they chose that pair? volume is a factor, but there are no dirty coins to hunt for.
The way Bisq worked was you entered a multisig contract on 2 different networks (I.e Bitcoin and XMR). If one person refused to send the coins on one network, the coins on the other network would be diverted to a donation address. This basically means even with a custom client you can't scam someone or both of you lose your coins.
From the wallet to the network, Bisq protects your coins and you own your keys. But, if you make a transaction, the attack vector is greater than just the keys and now the transaction as well.
Using a custom implementation, hackers were able to modify the transaction used in trading and change the donation address without the transaction counting as invalid. An unsuspecting trader uses the transaction with them, and the attacker aborts leaving all the coins to go to the donation address. Except now, it's not a donation address, but the attackers own wallet.
Neat, any idea what the fix was? I guess hard coded checking against a whitelist of donation addresses? Do you know of the people who control those addresses have committed to refunding any fraudulently collected donations?
n0f00dGold | QC: CC 71 | r/pcgaming 475 months ago
Great info! Should have posted this as a top-level comment.