RetoSwap Trading Freeze After Second Haveno Exploit Sparks $2.7M XMR Loss Shockwave

How the Haveno Protocol Exploit Led to a $2.7 Million XMR Loss and Forced a Second Trading Shutdown

A critical vulnerability in the Haveno trading protocol has triggered its second major security incident in less than 30 days, raising fresh concerns across the Monero-based peer-to-peer trading ecosystem.

On June 17, 2026, RetoSwap, a decentralized trading platform built on Haveno, suspended all trading activities after confirming that the underlying protocol was being actively exploited again. The move came just weeks after a similar attack on May 20, 2026, which resulted in the theft of approximately 7,000 XMR, valued at roughly $2.7 million at the time.

While RetoSwap has emphasized that its own infrastructure was not compromised, the repeated breaches have drawn attention to deeper structural weaknesses within the open-source Haveno framework it relies on.

RetoSwap Halts Trading Again After New Exploit Discovery

In its June 17 announcement, RetoSwap confirmed that it had raised the minimum client version to 2.0.0 and blacklisted the attackers’ onion addresses in an attempt to contain the incident. The platform also suspended all trading activity as a precautionary measure while engineers investigate the extent of the exploit.

This is the second emergency shutdown in less than a month, following a similar response during the May 20 attack.

Source: X(formerly Twitter)

According to the RetoSwap team, the vulnerability does not originate from their own codebase. Instead, it is embedded within the Haveno protocol itself, an open-source trading system that provides the underlying architecture for peer-to-peer Monero transactions.

That distinction has become central to the ongoing investigation, though it offers little relief to affected users.

Inside the May 20 Attack That Stole $2.7 Million in XMR

The first confirmed exploitation of the vulnerability occurred on May 20, 2026, when Haveno developer “woodser” reported that the protocol was under active attack.

Within minutes, RetoSwap implemented emergency countermeasures, including banning the attacker’s onion address and enforcing a forced upgrade to client version 2.0.0. Despite these efforts, approximately 7,000 XMR—worth around $2.7 million—was stolen from users interacting with large crypto trades.

Blockchain security analysts, including PeckShield, later confirmed the breach.

The attack itself was not a simple hack. Instead, it involved a highly targeted manipulation of Haveno’s 2-of-3 multisignature escrow system. The attacker reportedly sent a forged, out-of-order acknowledgment message impersonating a trusted arbitrator in the system.

This caused the victim’s software to overwrite the legitimate arbitrator’s node information with a malicious address controlled by the attacker. As a result, the attacker was able to gain control of two out of three required wallet keys, effectively bypassing the multisig protection before funds were even fully deposited.

In practical terms, the attacker successfully manipulated the system before the transaction was finalized, effectively rigging the escrow process.

Why the Same Vulnerability May Have Been Exploited Again

The June 17 suspension suggests that the May fix may not have fully closed the vulnerability.

Following the first attack, developers implemented mitigation steps, including stricter verification of multisig wallet creation and updates to arbitrator address handling. A GitHub pull request was also introduced to patch the issue at the protocol level.

However, the second incident indicates that attackers may have either discovered a new variation of the exploit or continued to leverage residual weaknesses in the original design.

RetoSwap has not confirmed whether additional funds were lost in the latest incident, but it stated that losses appear limited to large cryptocurrency transactions. Fiat-based trading activity was reportedly unaffected.

As of now, trading remains suspended with no confirmed timeline for restoration.

Monero Privacy Makes Recovery Nearly Impossible

One of the most significant challenges in both incidents is the nature of Monero itself.

Unlike transparent blockchains such as Bitcoin or Ethereum, Monero is designed with strong privacy features that obscure transaction details, wallet addresses, and fund movements. While this provides financial privacy for legitimate users, it also makes stolen funds extremely difficult to trace.

Security analysts can flag suspicious activity, but recovery is often not possible once XMR has been moved through multiple hops.

This creates a difficult paradox: the same privacy features that protect users also shield attackers after an exploit.

What Haveno Users Need to Do Now

Following the latest suspension, RetoSwap has issued several urgent recommendations for users of its platform and any services built on Haveno.

First, users are advised to immediately back up their local wallet folders. According to the platform, these backups may be necessary for any potential recovery process.

Typical wallet locations include:

• Linux: ~/.local/share/Haveno-reto/xmr_mainnet/wallet
• macOS: ~/Library/Application Support/Haveno-reto/xmr_mainnet/wallet

Second, users are strongly advised not to attempt any trades until the platform confirms a full security fix. Any activity using outdated clients could expose users to the same vulnerability.

Third, all users will eventually be required to upgrade to client version 2.0.0 or higher once trading resumes.

Finally, users are encouraged to carefully verify arbitrator communications in peer-to-peer transactions and remain cautious when using platforms built on unaudited or partially audited open-source frameworks.

A Deeper Problem: Inherited Risk in Open-Source Protocols

The repeated exploit has raised broader concerns about the risks of building financial platforms on open-source protocols without fully independent security audits.

RetoSwap itself did not develop the vulnerable code. Instead, it inherited the Haveno framework, along with its architectural assumptions and potential weaknesses.

This has highlighted a systemic issue in decentralized finance: when protocols are forked or reused without comprehensive third-party audits, vulnerabilities in the base layer can propagate across multiple platforms.

In this case, both incidents have demonstrated that a flaw in a core protocol layer can override even non-custodial design principles.

What Happens Next for Haveno and RetoSwap

At this stage, developers are working on identifying whether the June incident is a new exploit vector or a continuation of the May vulnerability.

RetoSwap has stated that trading will only resume once a full protocol-level fix is implemented, but no timeline has been provided.

Meanwhile, security researchers are expected to conduct deeper audits of the Haveno protocol to determine whether additional hidden vulnerabilities exist.

For users, the immediate priority remains safety and asset security rather than trading activity.

Conclusion

The Haveno protocol has now been exploited twice in less than 30 days, resulting in at least $2.7 million in losses and forcing repeated shutdowns of RetoSwap’s trading system.

While the platform itself has not been directly compromised, its dependence on a vulnerable underlying protocol has exposed critical risks in the broader Monero-based peer-to-peer trading ecosystem.

Until a complete and independently verified fix is implemented, trading remains suspended, and users are being urged to secure their wallets and avoid further activity.

The incident serves as a stark reminder that in decentralized finance, protocol-level vulnerabilities can have far-reaching consequences—regardless of how secure the front-end platform appears.

hoka.news – Not Just Crypto News. It’s Crypto Culture.

Writer @Erlin
Erlin hallen is an experienced crypto writer who loves to explore the intersection of blockchain technology and financial markets. She regularly provides insights into the latest trends and innovations in the digital currency space.
 
 Check out other news and articles on Google News

Disclaimer:

The articles published on hoka.news are intended to provide up-to-date information on various topics, including cryptocurrency and technology news. The content on our site is not intended as an invitation to buy, sell, or invest in any assets. We encourage readers to conduct their own research and evaluation before making any investment or financial decisions.
hoka.news is not responsible for any losses or damages that may arise from the use of information provided on this site. Investment decisions should be based on thorough research and advice from qualified financial advisors. Information on hoka.news may change without notice, and we do not guarantee the accuracy or completeness of the content published.