8 Apr 2020 |
sethsimmons | So not as bad as I thought at first, but still bad | 14:53:21 |
chappjc | Hopefully they caught it quickly, but there is a known attacker, so people have likely been burned already. | 14:53:56 |
sethsimmons | Yup :X | 14:54:29 |
chappjc | It's pretty bad that they weren't checking the default address because that's where the funds go if a bad actor decides it. | 14:54:59 |
chappjc | I wonder if there's a way to extract these invalid addresses form the bisq network somehow, or if they are even stored there. | 14:55:52 |
chappjc | To get a read on the scale of the attack. | 14:56:14 |
chappjc | Similar concerns apply with atomic swap contract auditing too, to be fair. | 14:58:05 |
chappjc | k, catching up: https://bisq.network/statement-security-vulnerability-april-2020 | 15:06:34 |
chappjc | 4000 XMR!!!!!!!!!!!!!!!!! | 15:06:51 |
chappjc | Um, since the donation/default address is BTC, I'll assume that was an arbitrator who lost the XMR. 😬 | 15:07:32 |
chappjc | "trades occured over the past 12 days" So they caught it after the 10 day time locked tx went through, and didn't make it the the intended destination (bisq's default address) | 15:08:27 |
chappjc | The arbitrators were definitely the "victims" here. Ouch. | 15:11:30 |
chappjc | They literally announced this on twitter while we were chatting: https://twitter.com/bisq_network/status/1247898021888581634 | 15:17:39 |
chappjc | I've asked in a reply if the victims were the arbitrators. Seems clear they were. Also seems clear that the arbitrators could have audited the time locked txn before paying out of pocket, but didn't | 15:19:11 |
chappjc | I'm not going to plug dcrdex or criticize though since I'm sure this hurts those who lost money. | 15:20:29 |
chappjc | Apparently the BTC buyers were the only victims. | 15:27:09 |
chappjc | Bisq is about to get regulatory attention, assuming one of the cheated victims complains, which seems inevitable since they'd need rougtly $0.25 MM to make everyone whole. | 16:10:05 |
chappjc | But who knows... those cheated were selling XMR. :) | 16:12:14 |
jy-p | gotta blow your cover to file suit | 16:13:40 |
jy-p | gee, if only a system existed that didn't have all this pointless complexity engineered in | 16:14:07 |
jz | It's not a flaw it's a feature!
<proceeds to burn entire house down with said feature> | 16:32:42 |
chappjc | Well, we can't do atomic swaps with Monero present, so that's unfortunate | 16:34:14 |
jz | They'd be smart to start thinking about how they can build out support, DEX/OTC is pretty important for them I'd imagine since most serious exchanges have XMR blacklisted. | 16:36:14 |
gravityz3r0 | Is bisq operating principle markedly different from how dcrdex is going to be? On the first glance, they appear similar to a layman eyes | 19:43:12 |
gravityz3r0 | O wait, they are not fee-less i supposed | 19:45:04 |
jy-p | no arbitration | 19:46:19 |
chappjc | No extra token required either, although I'm not completely clear how BSQ works. You wanna trade X for Y, you only need to worry about X and Y. | 19:51:29 |
chappjc | (with dcrdex) | 19:52:35 |
klex22 | do you need full nodes for trading? | 19:55:57 |
chappjc | It's quite jarring to find that with bisq their new solution that replaced 2-of-3 multisig is to have a second transaction (only used when a trade goes sideways) that sends funds to the exchange (the donation/default address), only to require the arbitrators to pay out of pocket to resolve the issue. | 19:55:58 |