Hackers Steal $2.7 Million from Decentralized Exchange via Haveno Protocol Flaw

Decentralized exchange RetroSwap got hit by a hack attack in which hackers took advantage of a flaw in the Haveno protocol and drained around $2.7 million in cryptocurrency.

The team acted fast by suspending trading but the damage was already done.

How the Attack Happened

RetoSwap disclosed the exploit on May 20 through posts on X. Haveno lead developer Woodser spotted the issue at 2:31 UTC. The exchange blocked the attacker’s onion address immediately. Two minutes later, an emergency client update froze all trading.

The attack did not break RetoSwap’s own infrastructure. Instead, hackers found a hole inside Haveno’s trading protocol. The incident mainly hit large crypto trades. Fiat transactions stayed safe. The platform has since paused operations while developers investigate and build a security patch.

RetoSwap later shared more details about the trick. Attackers messed with Haveno’s trade messaging system during active transactions. Woodser explained how the exploit happened.

They mentioned that when the attacker initiated a trade, they sent out a fake out-of-order ACK message pretending to be the arbitrator. This tricked the software into updating the arbitrator’s node address to the attacker’s own. It enabled them to create a compromised multisig wallet before the funds were deposited.

Simply put, the hacker posed as the referee before any money entered the shared wallet. That gave them unauthorized control over the trade.

What RetoSwap Users Should Do Now

Later on, RetoSwap told users to back up their wallet files right away. This helps in case recovery becomes possible later. The platform shared backup steps for Linux, macOS, and Windows systems. It also pointed users to Haveno’s built-in backup tool. The message was clear: act quickly to secure your local data.

RetoSwap runs as a peer-to-peer trading platform using Tor and the Haveno protocol. It never holds user funds. Traders operate directly from local wallets instead of depositing assets into centralized accounts. The platform supports Monero, Bitcoin, Ethereum, Litecoin, Bitcoin Cash, and several stablecoins on the Ethereum and Tron networks.

A Wider Wave Of Bridge Exploits

The RetoSwap hack is not an isolated event. The crypto world is seeing a surge in similar failures. MAP Protocol and ButterNetwork also reported a bridge attack involving nearly 1 quadrillion fake MAPO tokens. Blockchain security firm Blockaid linked that incident to weak message verification systems.

In addition, Echo Protocol regained ownership of an administrator key from attackers after they minted approximately $816,000 worth of unapproved eBTC tokens. The team decided to suspend several aspects of their cross-chain operations while reviewing access permissions and contract safety measures.

According to the blockchain security company PeckShield, hackers have taken about $328.6 million in 2026 through bridge-related breaches. There is a consistent trend of increased thefts caused by small security breaches within cross-chain infrastructure, leading to high-value loss due to poor infrastructure design.

The trend continues with other platforms. Thorchain’s suspected $11 million exploit after an emergency shutdown shows that even established DeFi protocols are vulnerable to sophisticated attacks.

Implications of this Breach and Next Steps

One takeaway from this breach? No platform is immune to hack attacks, not even non-custodial platforms we all thought were safer. The attack did not target RetoSwap’s code. It hit the underlying Haveno protocol. That means one weak link in a shared tool can hurt every platform using it.

For users, the main risk is losing funds that never leave their own wallets. The exploit manipulated the trade setup phase. So victims thought they were sending money to a safe multisig wallet, not knowing the whole thing was going into an attacker’s wallet.

Here are ways you can stop similar attacks from happening in the future:

• For developers: Run mandatory arbitration node identity verification before each trade. Never trust a single ACK message to update arbitrator addresses. Add multi-step confirmations for any changes to wallet participants. Use time-locks and delay mechanisms for high-value trades. Conduct regular third-party security audits of the entire trade protocol, not just the exchange frontend.
• For users: Always double-check the arbitrator’s public key through an independent channel before depositing funds. Start with a small test transaction for any large trade. Keep local wallet backups offline. Follow the platform’s official channels for emergency updates. Avoid trading on any DEX that cannot pause or reverse suspicious activity quickly.
• For the industry: Create a shared alert system for protocol-level exploits. If one platform detects a flaw, others using the same protocol get notified instantly. Standardize emergency response playbooks across all non-custodial exchanges. Require proof of recent security audits before listing any bridge or trading protocol.

RetoSwap’s two-minute response was impressive. But prevention is always better than a fast pause. Cross-chain protocols are still in their infancy, so for now regard every trade as if it contains a hidden flaw. Exercise caution, have backups of everything, and do not assume a decentralized network is very secure.