Haveno had serious exploit allowing XMR theft

submitted by hetzlemmingsworld to haveno 2 points | 1 comments

A live instance of the Haveno software (RetoSwap) is effected. Details of the exploit from Haveno dev woodser are as follows: "when the attacker took a trade, they sent a fake, out-of-order ACK message impersonating the arbitrator, causing the software to update the arbitrator’s node address to their own, allowing them to create a compromised multisig wallet before funds were deposited. preventing this is straight forward, by checking that the multisig wallet is already created before updating the arbitrator’s address: github.com/haveno-dex/haveno/pull/2315".

It’s not yet clear exactly how much Monero has been stolen. Haveno network operators are strongly advised to halt trading which RetoSwap has done.

reddit.com/…/psa_haveno_tradeprotocol_exploit/

www.reddit.com/r/…/retoswap_haveno_exploit/