Major Exploit Targets Haveno Protocol, Resulting in $2.7 Million Loss for RetoSwap

Title: Major Exploit Hits RetoSwap, $2.7 Million in XMR Drained

In a shocking incident that has sent ripples through the cryptocurrency community, RetoSwap, a decentralized exchange built on the Haveno protocol, reported a significant security breach that resulted in the loss of approximately 7,000 XMR, valued at around $2.7 million. The attack, which occurred on May 20, 2026, exploited a vulnerability in Haveno’s trade protocol, specifically targeting its multisig process.

Swift Emergency Response

The breach was first detected by Haveno’s lead developer, woodser, at 2:31 UTC. RetoSwap acted quickly, blocking the attacker’s onion address and halting trading just two minutes later through an emergency client update. This rapid response was crucial in preventing further losses, but the damage had already been done.

RetoSwap clarified that the exploit did not compromise its own infrastructure. Instead, hackers manipulated Haveno’s trade messaging system, allowing them to impersonate an arbitrator and gain unauthorized control during trades. This flaw primarily affected large crypto transactions, while fiat transactions remained unaffected.

How the Exploit Worked

According to RetoSwap, the attackers interfered with the trade messaging system during active transactions. They sent a fake, out-of-order acknowledgment message that impersonated the arbitrator, causing the software to update the arbitrator’s node address to their own. This manipulation enabled them to create a compromised multisig wallet before funds were deposited.

“Here’s how the exploit worked: when the attacker took a trade, they sent a fake, out-of-order ACK message impersonating the arbitrator, causing the software to update the arbitrator’s node address to their own,” woodser explained.

User Precautions and Future Steps

In the wake of the incident, RetoSwap urged users to back up their wallet files immediately, providing detailed instructions for Linux, macOS, and Windows systems. The platform emphasized the importance of securing local data in case recovery efforts become possible.

RetoSwap operates as a peer-to-peer trading platform that utilizes Tor and the Haveno protocol, allowing traders to operate directly from local wallets without depositing assets into centralized accounts. The platform supports various cryptocurrencies, including Monero, Bitcoin, Ethereum, and several stablecoins.

A Broader Concern in the Crypto Space

This incident is part of a troubling trend in the decentralized finance (DeFi) sector, where security vulnerabilities continue to be exploited. Other platforms, such as MAP Protocol and ButterNetwork, have also reported attacks, highlighting ongoing weaknesses in bridge message verification systems. According to blockchain security firm PeckShield, hackers have stolen approximately $328.6 million from bridge-related exploits in 2026 alone, underscoring the urgent need for enhanced security measures across the crypto landscape.

As RetoSwap pauses operations to investigate the flaw and develop a security patch, the incident serves as a stark reminder of the vulnerabilities that persist in the rapidly evolving world of decentralized finance. Users are urged to remain vigilant and proactive in securing their assets as the industry grapples with these ongoing challenges.