Bisq has issued a new update on its v1 trade protocol exploit, shifting attention from the initial emergency halt toward reimbursement planning, hotfix work, and user safety.
The privacy-focused peer-to-peer Bitcoin exchange shared a Bisq Protocol Exploit Update on X after earlier confirming that an attacker had exploited Bisq v1 and drained a portion of available offers. The project had already said the incident was limited to offers actively taken by the attacker, while funds held inside users’ Bisq Bitcoin wallets were not affected.
That distinction is important because Bisq is not a centralized exchange with a pooled custody wallet. Trades use a peer-to-peer model, and the incident appears to have targeted the trade process rather than a central reserve of customer assets. A previous Bisq v1 exploit report placed the focus on the emergency controls used to stop additional vulnerable activity.
Missing Validation Check Remains The Key Lead
The current technical lead remains a missing validation check. In the earlier Bisq community security notice, the project linked the attack to a modified client and said developers were working to reproduce the issue, verify a fix, and release a hotfix based on the latest stable version.
Bisq also activated an emergency mechanism that set the required trading version to 2.0.0, a version that does not exist. That move was designed to prevent normal v1 trading from continuing while developers investigated the exploit path. Some users later asked why the app was demanding a version they could not download, and community moderators clarified that the nonexistent version number was a defensive control rather than a public release.
Open trades are being handled differently from open offers. Community support indicated that unaffected open trades can still be completed normally, and users whose trade windows have expired can open mediation. Bisq also said users with trades initiated on or after the morning of May 1 should open mediation by selecting the trade and pressing Ctrl + O so a mediator can assess whether the trade was affected.
Bisq 2 Was Not Affected
Bisq 2, including the Bisq Easy trade protocol, was not affected because it uses a separate codebase and different protocol design. That separation matters for users trying to understand whether the issue is a full-network compromise or a v1-specific protocol problem.
The incident still cuts into one of the core promises that makes decentralized exchanges attractive: users want self-custody, censorship resistance, and reduced reliance on centralized operators. A broader CEX vs DEX comparison shows why decentralized infrastructure reduces some custody risks while still leaving users exposed to protocol logic, client design, liquidity, and dispute-handling failures.
Bisq has also warned users to be cautious of impersonators, stressing that support staff will not DM first and that seed phrases should never be shared. In a live exploit response, that scam warning is part of the security perimeter, because attackers often move from protocol flaws to social engineering when users are anxious and looking for help.
Be the first to comment