Hodl Hodl, a non-custodial marketplace for bitcoin peer-to-peer purchases and loans, published an update on the security issue it reported in early August.
On Aug. 2, Hold Hodl reported a security issue on its platform for peer-to-peer bitcoin loans, named Lend. The team asked users to migrate their loan contracts to new escrows and get stronger payment passwords. Hodl Hodl also said it had to force-liquidate some of the contracts to keep users’ funds safe from possible attacks.
In an update on Friday, Hodl Hodl said two vulnerabilities were found in Lend’s code. The team did not identify any loss of users’ funds. However, it “had no guarantee that these vulnerabilities weren’t exploited already, and some user payment passwords weren’t obtained by bad actors,” according to a Sept. 2 blog post explaining why the team asked users to migrate their funds to new escrows.
Hodl Hodl also force-liquidated some of the most risky contracts, less than 1% of all contracts, the blog post said.
Hodl Hodl does not store users’ funds and runs on what the team calls bitcoin smart contracts, allowing users to generate multisignature escrow wallets in which the bitcoin gets locked until the deal is complete. This allows people to trade bitcoin for fiat money or borrow USD-denominated stablecoins, like USDT, for collateral without parking their funds with a third-party entity, as centralized platforms do.
In late July, Hodl Hodl hired a new auditing firm to check the security of its code, and the firm found two vulnerabilities. “One of them allowed to easily brute force weak passwords. Another one was found in the front end of our lending platform. This vulnerability could lead users to input their payment passwords into a fake form (produced and generated by the attacker), allowing them to access the user’s private key,” Hodl Hodl wrote.
The issue applied only to the lending product, not the trading product, CEO Max Keidun told CoinDesk. He confirmed no funds had been stolen.
The team is now working on “new extra security features, which will be a part of a more significant update called Lend 2.0,” according to the blog. The new platform will be launched sometime in September, the company added, and will “contain major security and UI/UX improvements and use a different security and usability approach than the previous version.”
For now, the platform is closed to new loan contracts, which will become available after the relaunch. Existing contracts that haven’t expired yet are still running on the platform, Keidun said.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.