Nostr Web Client

"LocalMonero clone OpenMonero has announced that the platform was hacked on June 6th and reported that all user and vendor funds - up to 200 XMR - were apparently stolen:

"All funds (50-200 xmr) have been stolen in a hack on 6/6/2025. Registration, login and trading is disabled until the firewall is updated. All users will be refunded. Vendors are first on the list.""

https://monero.observer/openmonero-hacked-reports-all-funds-stolen/#fn:3

894c61fd... 6mo ago 💬 1

openmonero.com may actually be one of the most secure platforms out there, thanks to its use of non-custodial trade settlements, non-custodial funding, and relatively quick trade finalization (on hour). To date, only about 20k USD of user funds have been stolen, (plus 3k arbiter funds), despite a monthly trade volume of roughly half a million dollars. Had I implemented a setup like haveno, I’d probably have seen at least 2 million USD stolen (good luck trying to refund that).

Reply to this note

Please Login to reply.

Discussion

Saberhagen The Nameless 6mo ago 💬 1

Yep, I like the fact that you guys don't require offers to be "prefunded" until they're actually taken iirc. Would've been much worse. Haveno should do this as well.

shortwavesurfer2009 6mo ago 💬 6

Offers are not prefunded in Haveno. The amount needed to complete the offer is put in a locked state in your local wallet until such time as the offer is taken. Only then do your funds move to a 2 of 3 multi-sig.

Up until that point, your funds are 100% yours in your own self custody wallet on your device.

Saberhagen The Nameless 6mo ago 💬 1

After reading over the docs again I think you might be right.

But what does it mean to be put into a "locked state"? Not sure how funds are 100% yours yet also "locked"

https://github.com/haveno-dex/haveno/blob/master/docs/trade_protocol/trade-protocol.md

shortwavesurfer2009 6mo ago 💬 2

The wallet marks the e-notes as unspendable. You could of course restore it in something like Monero GUI and spend them, but in the Haveno wallet themselves the notes are marked unspendable until such time as the offer is either taken or you cancel it.

goatmeal 6mo ago 💬 1

I gave my retoswap seed phrase to feather and had both applications open at the same time during trades. it's an easy way to confirm the behavior.

shortwavesurfer2009 6mo ago

Another way of seeing that this is what happens is because when you don't have an exact amount it will reserve more than what's needed to complete the trade because it has to reserve multiple e-notes of equal or greater value.

Saberhagen The Nameless 6mo ago 💬 1

Still kind of confused. So is it more of a convenience thing to segregate your funds for the trade? Because obviously if you can just spend them in another wallet it isn't to really lock anything. Either way this would be more to your point about your funds not being locked into a multisig until the trade is taken which is great.

shortwavesurfer2009 6mo ago 💬 2

In the actual application, they are locked, although you could spend them from another wallet, and I assumed that if you did, it would notice that the funds that were reserved were removed and cancelled the offer, but that's something I don't know for certain.

Saberhagen The Nameless 6mo ago

That would make sense. I would assume the same. Let me know if you get confirmation on that

Saberhagen The Nameless 6mo ago 💬 2

So after thinking and reading about this more I think I narrowed down the problem...afaict Haveno/Retoswap, in it's current state, has more at risk from rugpulls than necessary - currently over a million USD at stake.

Sell offers are sitting there waiting to be automatically locked into a 2/3 multisig once taken (from potentially malicious admins controlling arbitrator/taker bots meaning they would have enough keys to steal)

Right now nothing is really preventing admins from sweeping the entire orderbook on the sell side.

894c61fd... 6mo ago

The haveno rugpull amount according to my calc is USD 2.5 millions

NOTE: the security deposits from haveno market markers are part of the pot as well

XMR/USD according to haveno.markets

$283.10

Liquidity according to haveno.markets

7,474.47 XMR

15% security deposits = Liquidity x 15/100

1121.17 XMR

rugpull amount = liquidity + 15% security deposits

rugpull amount = 7,474.47 + 1121.17 XMR

rugpull amount = 8595,64 XMR = 2,433,425.68 USD

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

ede3d957... 6mo ago

Crypto transactions should not need an arbitrator. It should be atomic swaps only.

The fiat orderbook is much smaller meaning less risk. Then there should also be competing networks built into Haveno itself.

Arbitrators maybe should lock a certain amount of money as well to keep them honest. Not yet sure how to do it.

894c61fd... 6mo ago 💬 1

How can anyone honestly think that locked haveno coins are truly in self-custody? In reality, bad haveno arbiters could easily pretend to be legit takers and get the 2/3 majority needed to approve a transaction, which could lead to theft. Even worse, admin bots could just wipe out the whole haveno order book with ease. This issues has been confirmed by official dread mods and some reddit users.

Quote /u/WoodenInformation730:

The arbitrators could rug the whole orderbook (all sell offers and security deposits) by taking all the offers at once.

Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn

Quote: /u/monero_desk_support:

After some thoughts, I think you are right and that the arbitration system in Haveno doesn't prevent arbitrators from pulling the funds. They would need to create a bot that takes all the offers and automatically unlock the funds with the key of the taker and arbitrator

Source: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42

Quote /u/geonic_ (Monero Outreach Producer):

Reto has been around for a few milliseconds basically and nothing stops the network operators from creating fake orders if the pot gets big enough. A network would have to be operating successfully for a few years before I trust it with any significant amounts.

Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/m0ae3rk/?context=3#m0ae3rk

Quote /u/WoodenInformation730: To post an offer, you have to deposit the amount + security deposit. If an arbitrator acts maliciously, they could take an offer and essentially steal the funds by signing the 2/3 multisig transaction, since they'd have two keys.

Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3

Quote /u/jossfun:

Haveno relies upon arbitration by the network you’re operating on. In a case where the arbitrators act maliciously they can create trades where they control 2/3 keys to seize funds.

Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/

EspañolLuchador 6mo ago 💬 1

Is the same with bisq?

Ape Mithrandir 6mo ago

No Bisq uses 2-of-2 MuSig with a DAO donation address used for the rare Arbitration.

EspañolLuchador 6mo ago

Oh thank you I'll research more. It is awesome. Open source is something very impressive. The fact that we can trade without trust is mind blowing. I use bisq and I'm amazed that it works. The incentives align so neither of the people have incentives to scam.

894c61fd... 6mo ago

Haveno’s multi-sig trading only protects trades that have already been accepted, which is about 1% of all the liquidity. The rest, like open offers, aren’t protected and could potentially be taken or misused by the admins. So, it’s confusing why some people still see Haveno as a fully self-custodial exchange, when in reality, it’s more like a centralized liquidity platform.

For a more detailed understanding, please read the section about self-custodial trade funding:

https://openmonero.com/faq#self-custodial-trading-funding

dbac4405... 6mo ago

Its good to have options. An offer waiting to be taken is not at risk at all if i recall correctly. Why are you trying to argue havenos modal is not good compared to a website are you always high or something? Its not perfect but it doesnt risk everyone's funds. Its good to have options and I'm saying that in lieu of trash talking you and your website.

894c61fd... 6mo ago

Quote shortwavesurfer2009:

The way it would work would be that an arbitrator would create a bot to take the offers and then use the key from the taker bot and their arbitrator key to steal the escrow which contains the seller's Monero plus their security deposit.

Source: nevent1qqs0h2fvwvcsg58l6xw9hwpav4kk3vry933rrm6pparrf0s7p9rel6gpz4mhxue69uhkg6t5w3hjuur4vghhyetvv9uszyrhwden5te0v5hxummn9ekx7mp0qythwumn8ghj7en9v4j8xtnwdaehgu3wvfskuep0mvpr6f