Vulnerability in Bisq found and disclosed

07 Jul 2021

In July 2021, while Haveno was in its infancies, we found a critical vulnerability in Bisq.

This issue allowed an attacker to harvest user’s payment information on Bisq. These information included:

All these data could have been harvested at no cost at all for the attacker. We don’t know for how long Bisq has had this vulnerability and if it was exploited. We know that it was probably not exploited at a large scale, or Bisq’s support team would have noticed a spike in support tickets.

We reported the vulnerability to Bisq and helped them to patch it. They then released a patched version of their software, which fixed the problem (v1.7.0).

The disclosure on Haveno’s Twitter: https://twitter.com/HavenoDEX/status/1412782658887766016.

The disclosure on Bisq’s Twitter: https://twitter.com/bisq_network/status/1412536933910147072.