Bisq 1.10.0 follows the recent security incident with a focused hardening release that improves trade protocol security, network message validation, release verification, and hardening against supply chain attacks.
A detailed post-mortem covering the incident, investigation, impact assessment, and the security improvements introduced with this release will be published in the coming days on the Bisq webpage.
Note: As this release adds support for both Intel and Apple Silicon macOS binaries, the in-app download for macOS binaries will not work for this release. Please download, install, and verify the macOS binaries manually.
Release notes
Security Improvements
- Hardened validation of trade protocol messages, deposit transactions, payout transactions, trade contract data, and peer-provided wallet data.
- Improved protection against supply chain attacks by adding PGP signature verification to dependency resolution.
- Updated Java, JavaFX, Tor, bitcoinj, and other dependencies to their latest stable versions.
- Improved the build process with additional verification of the build toolchain.
- Added Docker-based DAO and end-to-end trade tests to GitHub Actions. This work will continue over the coming weeks.
Security Improvements Affecting the Trading Experience
- The maximum trade amount is now limited to
0.125 BTC. - Offers and trades are now restricted to a maximum price deviation of
25%. - Disabled XMR auto-confirmation. No issues have been identified, but a more in-depth security audit is planned for this area.
- Removed the webcam library used for QR code scanning to reduce security risks. A more secure replacement will be introduced in the next release.
- Removed dispute chat attachments and dispute log file transfers for security reasons.
- Added a popup reminder advising users not to use the Bisq wallet as a long-term storage wallet when holding higher balances.
UX
- Improved performance by updating JavaFX and Java versions.
Deployment
- macOS releases now support both Apple Silicon and Intel-based Macs.
- The reproducible build system is now partially in place, though not yet applied to this release. The next release will fully benefit from it.
Installation
macOS
Bisq does not use Apple's notarization process (see why).
For that reason you will see that (misleading) alert:
Grant permissions by:
- run
sudo xattr -rd com.apple.quarantine /Applications/Bisq.appin a terminal (type Terminal in the Apple search box) - open
Bisqagain
More details can be found here.
Windows
For similar reasons you will get that warning at Windows: Windows protected your PC
- Click the
More infobutton when prompted - Click the
Run anywaybutton when prompted
More details can be found here.
Verify download
See the verification and installation instructions in the Bisq Wiki.