Key takeaways
- Bisq estimates the May 1 exploit drained approximately 11 BTC from active offers
- Bisq developers say AI-assisted analysis reproduced the exploit faster than manual review
- Bisq plans fast reimbursement, with arbitration windows of 10 days for altcoins and 20 for fiat
A Small Validation Gap Became An 11 Bitcoin Loss
Bisq has published a preliminary update on the May 1 exploit, and the details are uncomfortable in exactly the way open-source security teams need to study. The project said the attack drained approximately 11 BTC from active offers, with only altcoin trades reported so far.
In its official follow-up, Bisq said the estimate is based on data analysis and affected-user reports, and that the final amount may change. The suspicious transactions reportedly shared a fingerprint: a 0.001 BTC multisig output paired with an unusually high 10,000 sat miner fee. That helped investigators isolate suspicious activity inside the relevant time window.
"missing validation"
The exploit path was technical but brutal. Bisq said the taker supplied a negative miner fee. The maker and taker are supposed to use the same fee, and when the maker calculated the multisig output amount, the negative value reduced that output to 0.001 BTC while redirecting the remaining funds to the taker's change output. Bisq said that taker change output was leftover from older protocol versions and should have been removed earlier.
Reimbursement Is Moving, But Timelocks Still Matter
Bisq is trying to make affected users whole. The forum update said the goal is fast and complete reimbursement with minimal friction, but the project still has practical constraints. Victims must open arbitration cases, and arbitration only becomes available after protocol timelocks expire: 10 days for altcoin trades and 20 days for fiat trades.
There are governance constraints too. Bisq's decentralized autonomous organization (DAO) has limits on how much can be issued during a cycle, and the reimbursement proposal must be confirmed through voting. The current DAO cycle is expected to end around May 25. Cryptopolitan reported that maintainer Henrik Jannsen described the goal as reimbursing users in Bitcoin, with BSQ as an optional alternative, to reduce volatility risk for victims.
That matters because Bisq is not a centralized platform with a corporate treasury that can unilaterally announce a refund. It is a non-custodial trading protocol with governance, arbitration, and treasury constraints. That structure protects users from custodial risk, but it also makes incident response slower and more procedural.
The AI Lesson Is The Real Alarm
The most important part of Bisq's update was not the 11 BTC estimate. It was the investigation process. Bisq said one group of developers began manual code inspection while another group used AI-assisted analysis. The AI-assisted group was faster and identified the exploit path in a relatively short time. The first attempt produced a false positive, but a second attempt reproduced the exploit and generated both an attack patch and a corresponding fix.
Bisq did not claim certainty that the attacker used artificial intelligence (AI). It said the team's own experience made that possibility reasonable, especially with careful prompting and enough context. That is a serious warning. Large language models (LLMs) are not magic auditors, but they are now useful enough to compress vulnerability discovery work that once required more manual expertise and time.
Bisq said it has already fixed the immediate vulnerability and is working on additional hardening for a hotfix release. It also recommended that users avoid keeping more BTC in their Bisq wallet than necessary for active trading until further review and hardening are complete.
Why It Matters
Bitcoin tools do not get to opt out of the AI security race. Attackers can use LLMs to map old code paths, test strange inputs, and search for validation gaps. Defenders need to use the same machinery to harden wallets, exchanges, coordinators, and trading protocols before the next exploit lands.
The answer is not to trust AI as a primary security analyst. The answer is to treat it as a tireless assistant that can generate hypotheses, stress-test assumptions, and make manual reviewers faster. Permissionless systems survive by being harder to break than they are to attack.
