RetoSwap, an anonymous peer-to-peer exchange specializing in Monero (XMR) trading, suffered a security breach resulting in the theft of approximately 7,000 XMR (valued at roughly $2.7 million).
The attack exploited a vulnerability in RetoSwap's arbitration protocol. The attacker sent forged acknowledgment (ACK) messages impersonating the platform's arbitrator, allowing them to overwrite node addresses with their own before the creation of multisignature wallets. This manipulation granted the hacker unauthorized access to user funds held in escrow, bypassing the platform's security mechanisms designed to protect peer-to-peer transactions.
The breach underscores persistent vulnerabilities in decentralized exchange infrastructure, particularly in systems handling privacy-focused assets. RetoSwap's reliance on arbitrator-based dispute resolution created a single point of failure exploitable through message spoofing. The incident follows other recent protocol compromises, including the MAP Protocol hack, indicating that P2P exchange platforms continue to face significant security challenges as they scale.