Nostr notes by openmonero

LocalMonero.co is now gone for good, logins disabled LocalMonero ...

2025-08-01T11:54:49+02:00

LocalMonero.co is now gone for good, logins disabled

LocalMonero disabled logins on July 27, 2025. Attempts to access public profiles via direct links now result in a blank page. Consequently, our crawler is unable to verify import keys. However, you can still verify your reputation at http://openmonero.com/guides/import#cachedUserList, as the top profiles have been cached on OpenMonero and can be verified through alternative methods such as Telegram, Session, XMPP/Jabber, email, PGP, and others.

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

How bad actors try to track Monero Depending on your operational ...

2025-07-23T10:24:01+02:00

How bad actors try to track Monero

Depending on your operational security, the combination of the various attack types in this article may reduce your privacy significantly, to get the real spend in a ring signature.

These methods have been used to arrest the Incognito Market admin, the operators of Archetyp, a Colombian drug dealer, a Finnish blackmailer, the Bitfinex hacker and 18 Japanese fraudsters.

---

# Eve-Alice-Eve attack

This one’s like a sneaky collusion trick. Two parties (both called Eve) team up to figure out who’s behind a transaction with Alice. Eve1 sends Monero to Alice in one transaction; Eve2 receives Monero from Alice in another.

They compare their transaction records, if Eve1’s address shows up in Eve2’s ring signature, or if amounts and times match up, they can pretty confidently say Alice was involved. Repeating this over and over makes their case even stronger.

---

# Poisoned output attack

Think of this like "marked bills" in the physical world. Here, the attacker "poisons" some Monero outputs, either with a unique amount or a specific pubkey, and then watches to see if those outputs get sent to someone who knows the identity of those who send them monero, and who has agreed to share data with the attacker to help identify the target.

If the target sends that marked Monero to a known colluder, the attacker can identify who sent it. Repeated use helps build a stronger case.

---

# Timing analysis attack

Sometimes, targets try to dodge the poisoned output trap by splitting amounts or churning (sending to new addresses repeatedly). But if they’re doing this on a regular schedule, attackers can catch on by watching the timing between transactions.

For example, if an attacker notices that every Tuesday, a certain person receives Monero and then quickly sends it out again, that pattern can reveal who they are, even if they try to hide it.

Anti-privacy adversaries can leverage timing information to increase the probability of guessing the real spend in a ring signature to approximately 1-in-4.2 instead of 1-in-16.

---

# Decoy elimination attack

This trick is handy if someone has a list of transaction IDs and thinks their target sent Monero in those transactions. They might get this list by scanning the blockchain for transactions that include a special kind of public key known to belong to the target, or from someone who’s interacted with the target a few times, like an exchange or a store.

Once they have the list, they can look up those transactions and check the signatures inside them. These signatures include a bunch of public keys used to hide who actually sent the money. The attacker checks if any of those keys are theirs or someone they know. If they find a match, they can ask the owner if they made that transaction. If not, then that key was just a decoy, not the real sender.

This method helps the attacker narrow down the possible real sender. In the worst case, they can remove all the fake keys and figure out exactly who sent the Monero. From there, they might trace the transaction back or forward, using the same or different techniques, to follow the money’s trail.

---

# Spy node attack

Monero transactions are broadcast through nodes, some are run by honest users, others by malicious actors (spy nodes). If your wallet sends transactions through a spy node, they might log your IP address, which can then be linked to your transaction and real identity.

Full nodes try to protect you with protocols like Dandelion++, but they’re not perfect. Attackers can exploit this by seeing if a transaction is still in its "stem" phase, which can leak your IP.

---

# Tx history lookup attack

If an attacker manages to get hold of your private keys (say, during a raid or if you accidentally share them), they can look up your entire transaction history on the blockchain. This helps them see all the Monero you’ve received and sent.

References:
https://www.getmonero.org/2025/04/05/ospead-optimal-ring-signature-research.html
http://openmonero.com/knowledge/how-bad-actors-try-to-track-monero

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

Centralization of XMR market and tracking every transaction ...

2025-07-09T19:59:24+02:00

In reply to nevent1q…0e79
_________________________

Centralization of XMR market and tracking every transaction

Recent research conducted by the Weizenbaum Institute, TRM Labs (San Franciso) and TU Berlin indicate that Retoswap, formerly known as Haveno-Reto, does not provide the privacy protections it advertises. Despite its marketing claims, this platform functions as a sophisticated decoy. The narrative of being non-custodial and decentralized is a carefully crafted illusion designed to attract unsuspecting users and foster a false sense of security.
https://xcancel.com/noosphere888x2/status/1922044150716715102#m

Darknet operators who assume Retoswap is suitable for laundering should reconsider. Their activities are under constant surveillance. The supposed privacy offered by Retoswap is an illusion.

Retoswap Trades Are Fully Traceable

> To test our findings, we logged Haveno trades for two weeks and executed five test trades within the observation period. For all five transactions, we successfully identified all XMR transactions.
Additionally, we demonstrate that Haveno trades leave detectable on-chain footprints, allowing cross-chain transaction linking.

Source: https://arxiv.org/pdf/2505.02392

> Haveno has been discussed in greater detail as it evolved to one of the most prominent exchanges in the context of Monero. While strong promises claim privacy with every transaction and independence from any central authority, the current implementation raises uncertainty. Our analysis showed detectable on-chain patterns and weaknesses in the platform that can be exploited to match transactions across chains.

It is noteworthy that some of the most active dark web exchanges, administrators, vendors, and key figures may have already utilized Retoswap to launder illicit gains or transfer substantial amounts of BTC and XMR. These individuals often believe their anonymity is safeguarded due to the platform’s purported decentralization. However, all Retoswap crypto-to-crypto transactions are inherently traceable.

Retoswap has apparently handled over 50 million dollars in transactions, which is pretty impressive considering it’s been around for less than a year. It looks like big players like hackers, darknet admins, and other underground groups are already using it to move big amounts of money.
Source: https://xcancel.com/RetoSwap/status/1930953817228481022#m

While speculative, there are reasons to suspect that recent LE actions may not be coincidental. Authorities have tracked down major operators, likely due to the on-chain trail left by Retoswap activities. According to haveno.markets, approximately 90% of liquidity involves BTC-XMR swaps, transactions that are fully traceable. Every transaction is publicly recorded on-chain with exact timestamps, amounts, and payment methods, leaving a permanent digital footprint.

> While trade statistics provide valuable metrics for users, their network propagation should be obfuscated to preserve trade privacy.

Source: https://arxiv.org/pdf/2505.02392

In summary, admins of coin-swap services can easily monitor BTC to XMR trades. But usually, it’s not a big deal because users trust these providers not to share details like timestamps, amounts, or other info. On the flip side, with platforms like Retoswap, anyone can potentially track transactions, it’s not just the admins. That’s because haveno.markets openly shares trade stats, making it easier for third parties to analyze and follow the transactions.

May freeze or seize funds

Retoswap runs on Haveno, which is a decentralized, non-custodial multi-sig exchange. That’s true because your private key is generated locally, so only you have access to your funds in the Haveno wallet.

However, to publish a sell offer, a vendor must lock up coins (15% security deposit and the trade amount). These funds can potentially be frozen or seized because the admin can easily have two keys required to sign a transaction. The haveno FAQ suggests that the admin/arbiter only has one key, but in practice, anyone can become a taker, there is practically nothing preventing the admin from possessing two keys.

Some users have spoken out about this openly on platforms like Nostr, Reddit, and others, raising concerns about potential exit scams in how the system is set up. So, it’s worth being aware of these issues before jumping in.

https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/
https://archive.ph/gSRVs#25%

Centralization of XMR market and tracking every transaction
Retoswaps objective appears to be the centralization of XMR liquidity through their unique setup with pre-funded offers. Furthermore, Woodser (developer associated with Haveno) has not addressed the rugpuller bot issue that I initially identified six months ago. This is not due to incompetence but rather suggests a lack of independence, as the Reto guy has accepted donations from questionable sources. Such actions raise concerns about the integrity of the haveno development process.
Source: link to shortwavesurfer about donations

Quote mister_monster:
> So, Reto has basically no fees right now. They don’t really benefit financially from being the only haveno network with liquidity. Yet, [b]it does seem that they do want to have a monopoly position within our community[b].

Source: https://monero.town/post/5172146

Amazon used the same tactic to take over the market, operating at a loss and funded by questionable sources until competitors were pushed out. Now, this new platform is promising decentralization, non-custodial transactions, and privacy. But the reality is, none of that seems to hold up. It's all about crushing the competition and cornering the XMR market, and tracking every transaction? That's not exactly a recipe for trust. It might not be a honeypot, but it sure smells a lot like one. Proceed with extreme caution.

Discuss on dread: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/be82f1a0c5e0f79f6dbb

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

openmonero.markets VS. haveno.markets I still can't get over ...

2025-07-03T09:58:20+02:00

openmonero.markets VS. haveno.markets

I still can't get over how haveno.markets shows both the time and amount (XMR) for each trade, which could allow timing attacks and hurt user privacy. On the other hand, openmonero.markets doesn’t show any trade times or amounts.

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

We are pleased to announce the launch of a dedicated statistics ...

2025-07-02T15:58:25+02:00

We are pleased to announce the launch of a dedicated statistics and market data page, offering comprehensive information for users.

URL: https://openmonero.com/markets

DONE: xmr/usd, liquidity, top markets, daily volume, sell offers, buy offers, registered users, active vendors, top payment methods, latest trades, total trades, total volume, trades last 30d/24h/yesterday/today, volume last 30d/24h/yesterday/today

COMING SOON: average trade finalization time, top vendors

If you're worried about timing attacks, I've taken out the timestamp, username and amount details from the latest trades table to help protect your privacy.

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull #transparency #stats

It is easy to fix the rug pull issue if they just disable ...

2025-06-18T11:07:04+02:00

In reply to nevent1q…w3qe
_________________________

It is easy to fix the rug pull issue if they just disable pre-funded offers and allow each maker to fund the trade after a taker request instead. However, they aren't interested in doing so, since it would significantly decrease liquidity.

Quote shortwavesurfer2009: The way it would work would be that an ...

2025-06-17T18:58:12+02:00

In reply to nevent1q…5tr7
_________________________

Quote shortwavesurfer2009:
The way it would work would be that an arbitrator would create a bot to take the offers and then use the key from the taker bot and their arbitrator key to steal the escrow which contains the seller's Monero plus their security deposit.
Source: nevent1qqs0h2fvwvcsg58l6xw9hwpav4kk3vry933rrm6pparrf0s7p9rel6gpz4mhxue69uhkg6t5w3hjuur4vghhyetvv9uszyrhwden5te0v5hxummn9ekx7mp0qythwumn8ghj7en9v4j8xtnwdaehgu3wvfskuep0mvpr6f

How can anyone honestly think that locked haveno coins are truly ...

2025-06-17T18:56:20+02:00

How can anyone honestly think that locked haveno coins are truly in self-custody? In reality, bad haveno arbiters could easily pretend to be legit takers and get the 2/3 majority needed to approve a transaction, which could lead to theft. Even worse, admin bots could just wipe out the whole haveno order book with ease. This issues has been confirmed by official dread mods and some reddit users.

Quote SaberhagenTheNameless:
...afaict Haveno/Retoswap, in it's current state, has more at risk from rugpulls than necessary - currently over a million USD at stake.
Sell offers are sitting there waiting to be automatically locked into a 2/3 multisig once taken (from potentially malicious admins controlling arbitrator/taker bots meaning they would have enough keys to steal)
Right now nothing is really preventing admins from sweeping the entire orderbook on the sell side.
Source: https://primal.net/e/nevent1qqsy7hmx9n2ws94x92ftvc44ylkejyg8ygw9z9pt4eswj44yqewp3jcpzamhxue69uhkvet9v3ejumn0wd68ytnzv9hxgtcppemhxue69uhkummn9ekx7mp0qy08wumn8ghj7mn0wd68yttsw43zuam9d3kx7unyv4ezumn9wshs0gztdf
Cached: https://archive.ph/JOqDC#25%

Quote shortwavesurfer2009:
The way it would work would be that an arbitrator would create a bot to take the offers and then use the key from the taker bot and their arbitrator key to steal the escrow which contains the seller's Monero plus their security deposit.
Source: https://primal.net/e/nevent1qqs0h2fvwvcsg58l6xw9hwpav4kk3vry933rrm6pparrf0s7p9rel6gpz4mhxue69uhkg6t5w3hjuur4vghhyetvv9uszyrhwden5te0v5hxummn9ekx7mp0qythwumn8ghj7en9v4j8xtnwdaehgu3wvfskuep0mvpr6f
Cached: https://archive.ph/gSRVs#25%

Quote /u/WoodenInformation730:
The arbitrators could rug the whole orderbook (all sell offers and security deposits) by taking all the offers at once.
Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn
Cached: https://archive.ph/icuxp#65%

Quote: /u/monero_desk_support:
After some thoughts, I think you are right and that the arbitration system in Haveno doesn't prevent arbitrators from pulling the funds. They would need to create a bot that takes all the offers and automatically unlock the funds with the key of the taker and arbitrator
Source: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42

Quote /u/geonic_ (Monero Outreach Producer):
Reto has been around for a few milliseconds basically and nothing stops the network operators from creating fake orders if the pot gets big enough. A network would have to be operating successfully for a few years before I trust it with any significant amounts.
Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/m0ae3rk/?context=3#m0ae3rk
Cached: https://archive.ph/bB1VN#84%

Quote /u/WoodenInformation730: To post an offer, you have to deposit the amount + security deposit. If an arbitrator acts maliciously, they could take an offer and essentially steal the funds by signing the 2/3 multisig transaction, since they'd have two keys.
Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3
Cached: https://archive.ph/icuxp#45%

Quote /u/jossfun:
Haveno relies upon arbitration by the network you’re operating on. In a case where the arbitrators act maliciously they can create trades where they control 2/3 keys to seize funds.
Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/
Cached: https://archive.ph/bB1VN

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

2 new repos have been released last week and the code is fully ...

2025-06-17T18:11:15+02:00

In reply to nevent1q…936e
_________________________

2 new repos have been released last week and the code is fully built on top of NOSTR.

Frontend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex
Backend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex-api
Demo: http://ek72x7tysgkrr754ce4np4e6ce5rtwtxphxibzmesnsbuyco5onlc5id.onion/

The haveno rugpull amount according to my calc is USD 2.5 ...

2025-06-17T09:52:15+02:00

In reply to nevent1q…tykt
_________________________

The haveno rugpull amount according to my calc is USD 2.5 millions
NOTE: the security deposits from haveno market markers are part of the pot as well

XMR/USD according to haveno.markets
$283.10

Liquidity according to haveno.markets
7,474.47 XMR

15% security deposits = Liquidity x 15/100
1121.17 XMR

rugpull amount = liquidity + 15% security deposits
rugpull amount = 7,474.47 + 1121.17 XMR
rugpull amount = 8595,64 XMR = 2,433,425.68 USD

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

OpenMonero re-opening! Regarding the recent security issue on ...

2025-06-17T09:19:16+02:00

OpenMonero re-opening!

Regarding the recent security issue on June 6, 2025, there’s no sign that the main backend has been hacked. The breach led to about USD 20,000 (or 62 XMR) being stolen, mainly due to some bad configuration with ufw and wallet rpc. It’s worth mentioning that trade chats and MongoDB are hosted on different servers from the monero-wallet-rpc, so the core infrastructure is still secure. We’ll refund all affected users once the platform has collected enough arbiter fees..

Read more here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/59e5b924658bac9124d0

------SECURITY UPDATES------
- new monero wallet on a different hosting provider
- all passwords and keys have been updated
- monero-wallet-rpc is now bind to 127.0.0.1 to prevent remote access
- arbiter address switched to cold wallet to protect refunds
- DEX API fully isolated from openmonero.com to minimize security issues

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

Haveno’s multi-sig trading only protects trades that have ...

2025-06-15T01:59:36+02:00

In reply to nevent1q…gkzf
_________________________

Haveno’s multi-sig trading only protects trades that have already been accepted, which is about 1% of all the liquidity. The rest, like open offers, aren’t protected and could potentially be taken or misused by the admins. So, it’s confusing why some people still see Haveno as a fully self-custodial exchange, when in reality, it’s more like a centralized liquidity platform.

For a more detailed understanding, please read the section about self-custodial trade funding:
https://openmonero.com/faq#self-custodial-trading-funding

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

How can anyone honestly think that locked haveno coins are truly ...

2025-06-14T09:07:48+02:00

In reply to nevent1q…gkzf
_________________________

How can anyone honestly think that locked haveno coins are truly in self-custody? In reality, bad haveno arbiters could easily pretend to be legit takers and get the 2/3 majority needed to approve a transaction, which could lead to theft. Even worse, admin bots could just wipe out the whole haveno order book with ease. This issues has been confirmed by official dread mods and some reddit users.

Quote /u/WoodenInformation730:
The arbitrators could rug the whole orderbook (all sell offers and security deposits) by taking all the offers at once.
Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn

Quote: /u/monero_desk_support:
After some thoughts, I think you are right and that the arbitration system in Haveno doesn't prevent arbitrators from pulling the funds. They would need to create a bot that takes all the offers and automatically unlock the funds with the key of the taker and arbitrator
Source: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42

Quote /u/geonic_ (Monero Outreach Producer):
Reto has been around for a few milliseconds basically and nothing stops the network operators from creating fake orders if the pot gets big enough. A network would have to be operating successfully for a few years before I trust it with any significant amounts.
Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/m0ae3rk/?context=3#m0ae3rk

Quote /u/WoodenInformation730: To post an offer, you have to deposit the amount + security deposit. If an arbitrator acts maliciously, they could take an offer and essentially steal the funds by signing the 2/3 multisig transaction, since they'd have two keys.
Source: https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3

Quote /u/jossfun:
Haveno relies upon arbitration by the network you’re operating on. In a case where the arbitrators act maliciously they can create trades where they control 2/3 keys to seize funds.
Source: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr #moneroju

You may find this surprising, but just two days after the hack, I ...

2025-06-12T18:24:11+02:00

In reply to nevent1q…7tn8
_________________________

You may find this surprising, but just two days after the hack, I successfully open sourced the first decentralized peer-to-peer platform fully operational on NOSTR. This new repository represents the pioneering P2P Monero exchange featuring a decentralized reputation system and a federated order book. It incorporates all the functionalities typically found on openmonero.com, excluding self-destructing messages. Importantly, anyone can run their own instance, as the backend code is entirely open-source. The implementation is straightforward to audit, lightweight (only 4,500 lines of code) and genuinely decentralized, leveraging an open protocol like NOSTR that requires no additional software.

Frontend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex
Backend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex-api
Demo: http://ek72x7tysgkrr754ce4np4e6ce5rtwtxphxibzmesnsbuyco5onlc5id.onion/

Regarding the recent security incident, there is no evidence to suggest that openmonero.com has been completely compromised. Only funds have been stolen; trade chats and MongoDB are hosted on separate servers from the monero-wallet-rpc, indicating that the core infrastructure remains intact.

The primary objective is not to achieve absolute prevention of hacks, since no system can be 100% secure, but to minimize potential damage from the outset, similar to the principles of Qubes OS. This incident demonstrates that openmonero.com remains one of the most secure platforms available, capable of handling significant volume while maintaining minimal funds at risk, thus limiting potential losses in the event of a breach.

To date, approximately USD 20,000 worth of user funds have been stolen, along with USD 3,000 in arbiter funds, despite a monthly trading volume approaching half a million dollars. Had I employed a setup similar to Haveno, I estimate that losses could have exceeded USD 2 million making recovery efforts challenging.

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #bitcoin #btc #decentralized #nostr

NOTE: The haveno arbitrators could rug the whole orderbook ...

2025-06-12T17:51:03+02:00

In reply to nevent1q…v3se
_________________________

NOTE: The haveno arbitrators could rug the whole orderbook (2,000,000 USD) despite multi-sig trades.

Additionally, since offers on openmonero.com don’t require any pre-funding, the potential damage remains quite limited (similar to a single McDonald's salary). A quick note: multi-signature setups typically require JavaScript, and possibly Java, which limits scalability and compatibility, especially with browsers like Tor.

Moreover, multi-sig only secures about 1% of the total liquidity (trades in escrow or accepted), making it largely ineffective. On haveno, if a malicious arbiter manages to take all maker offers, they could potentially wipe out the entire order book (despite multi-sig trades). And having a security deposit doesn’t offer much protection either, since an attacker only needs to hold an amount of XMR equal to the lowest security deposit to take all maker offers. This pattern becomes clear when observing how each taker bot balance grows by a ton (logarithmic growth) after each transaction. More here: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

This principle has been validated both by my own analysis and confirmed by the official moderator of the dread sub and some reddit users.
http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42
https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3
https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn

openmonero.com may actually be one of the most secure platforms ...

2025-06-12T17:49:25+02:00

In reply to nevent1q…vezy
_________________________

openmonero.com may actually be one of the most secure platforms out there, thanks to its use of non-custodial trade settlements, non-custodial funding, and relatively quick trade finalization (on hour). To date, only about 20k USD of user funds have been stolen, (plus 3k arbiter funds), despite a monthly trade volume of roughly half a million dollars. Had I implemented a setup like haveno, I’d probably have seen at least 2 million USD stolen (good luck trying to refund that).

You can read more about the hack here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/59e5b924658bac9124d0

You can read more about the hack here: ...

2025-06-12T12:59:10+02:00

In reply to nevent1q…4mhp
_________________________

You can read more about the hack here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/59e5b924658bac9124d0

NOTE: The haveno arbitrators could rug the whole orderbook (2,000,000 USD) despite multi-sig trades.

Ironically, openmonero.com may actually be one of the most secure platforms out there, thanks to its use of non-custodial trade settlements, non-custodial funding, and relatively quick trade finalization (on hour). To date, only about 20k USD of user funds have been stolen, (plus 3k arbiter funds), despite a monthly trade volume of roughly half a million dollars. Had I implemented a setup like haveno, I’d probably have seen at least 2 million USD stolen (good luck trying to refund that).

Additionally, since offers on openmonero.com don’t require any pre-funding, the potential damage remains quite limited (similar to a single McDonald's salary). A quick note: multi-signature setups typically require JavaScript, and possibly Java, which limits scalability and compatibility, especially with browsers like Tor.

Moreover, multi-sig only secures about 1% of the total liquidity (trades in escrow or accepted), making it largely ineffective. On haveno, if a malicious arbiter manages to take all maker offers, they could potentially wipe out the entire order book (despite multi-sig trades). And having a security deposit doesn’t offer much protection either, since an attacker only needs to hold an amount of XMR equal to the lowest security deposit to take all maker offers. This pattern becomes clear when observing how each taker bot balance grows by a ton (logarithmic growth) after each transaction. More here: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

This principle has been validated both by my own analysis and confirmed by the official moderator of the dread sub and some reddit users.
http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42
https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwj10k3/?context=3#mwj10k3
https://rl.bloat.cat/r/Monero/comments/1l5jkp2/openmonerocom_got_hacked_as_reported_in_their/mwp7yhn/?context=3#mwp7yhn

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk #rugpull

I've just open sourced the first p2p monero platform that is ...

2025-06-12T11:49:22+02:00

In reply to nevent1q…4mhp
_________________________

I've just open sourced the first p2p monero platform that is completely based on NOSTR, with a decentralized reputation system (PGP canaries), a federated orderbook, non-custodial trade funding, non-custodial trade settlements and anyone can setup his own instance since the backend is open source as well. I am telling you once again, haveno is a centralized liquidity exchange, since the admin can take all offers. All that is required for such an exploit is access to the admin key, two bots (taker and arbiter bot), and an amount of XMR equivalent to the lowest security deposit (a mechanism evident from the logarithmic balance growth of each taker bot following each transaction. More here: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-779f1c27e12e98e6af

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk

Check out the new decentralized exchange based on Nostr and ...

2025-06-11T11:42:16+02:00

Check out the new decentralized exchange based on Nostr and OpenMonero/LocalMonero frontend. The code is production ready but I can't setup a fully working instance right now, since 2 of my servers have been hacked on 6/6/2025. You can checkout the demo below or clone the code and setup your own instance. The Backend has just 4.5k lines of code in a single file and is very easy to audit.

New powerful updates:

Decentralized, new reputation system not locked to any specific location or instance.
Federated and decentralized order book model allows for a combined order book across multiple instances.
All data, including the order book, reputation, profiles, trades, wallet information, and chat, is stored on NOSTR.
Admins do not have access to chat history unless a trade dispute arises (E2EE with NIP-04).
Wallet protection with two-factor authentication (2FA) instead of a traditional password.
Websockets facilitate real-time event updates without requiring a page refresh.

Frontend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex
Backend: http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-dex-api
Demo: http://ek72x7tysgkrr754ce4np4e6ce5rtwtxphxibzmesnsbuyco5onlc5id.onion/

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk

I am looking for a browser that has the following features: - ...

2025-04-26T10:13:26+02:00

In reply to nevent1q…3x0v
_________________________

I am looking for a browser that has the following features:

- same anonymity as tor browser
- built-in i2p
- adblocker addon pre-installed to prevent fingerprinting
- option to add whitelist for js and persist after restart

A lot of third-party wallets claim to be non-custodial, but they ...

2025-04-07T16:04:53+02:00

In reply to nevent1q…tg4z
_________________________

A lot of third-party wallets claim to be non-custodial, but they might actually mess with your privacy, track what you do, or even put your funds at risk. To stay safe, stick with the official Monero wallets at getmonero.org.

Cakewallet requires an account, leaks metadata, and can track usage patterns.

Furthermore, I am uncertain whether Cake Wallet is fully non-custodial, as it raises the question of how their backend API facilitate swaps without access to your private key (how do they pull that off). It seems logical to conclude that they must have access to the private key for the swap process to function effectively. Because of that, I can’t really recommend this wallet, especially since it supports some shady tokens that might be tied to scams.

I’m not pushing any specific wallet, but if you want something clean and simple, check out monero-wallet-cli. It’s a solid choice!

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk

I don’t really recommend any wallet, but if you’re looking ...

2025-04-07T15:46:21+02:00

In reply to nevent1q…58ky
_________________________

I don’t really recommend any wallet, but if you’re looking for something without bloat, you might want to check out monero-wallet-cli.

I do not have simpleX yet. Could you pls review ...

2025-03-08T00:33:44+01:00

In reply to nevent1q…tqxf
_________________________

I do not have simpleX yet. Could you pls review https://kycnot.me/service/openmonero

Let's be real, nothing comes for free. The fact that there ...

2025-03-04T21:20:24+01:00

In reply to nevent1q…r5su
_________________________

Let's be real, nothing comes for free. The fact that there are no arbitration fees on the retoswap network might make you think that users are actually the product. If you dig a little deeper, you'll find a bunch of issues, with the risk of exit scams being a big one.

A decentralized node network is only secure if there's no admin who can circumvent the rules. To address the exit scam issue, either eliminate the admin or remove the liquidity.

People want to trade online without the hassle of installing software, which can threaten their privacy. Trusting someone to keep your computer safe isn’t easy, and even open-source code can have hidden risks since most don’t compile it themselves. With OpenMonero, you can avoid those worries because it’s just a website that doesn’t need permissions.

The built-in non-custodial wallet for haveno funds isn’t very secure either, since private keys could be logged, and the project isn’t truly decentralized. The GitHub repo isn’t easy to fork, it’s built in Java and is pretty complicated. The more complex the code is, the tougher it gets for developers to spot vulnerabilities or malicious code.

Haveno is better at resisting censorship than OpenMonero, but this mainly benefits the admin. Without a reputation system, vendors can't import any stats to other platforms, leaving their accounts on Haveno fairly low in value. It’s unlikely that any former LocalMonero vendor, who has built up their reputation over the years, would want to use this system.

OpenMonero launched in June 2024, and I've recently started promoting it on social media. I encourage you to check out our list of over 150 verified vendors, including respected LocalMonero traders. If these vendors have confidence in the platform, users are likely to feel the same way.
Vendor list: https://nojs.openmonero.com/guides/how-to-import-reputation#cachedUserList

Reference: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html
Reference: https://primal.net/e/nevent1qqsq2pcudt9rdq4wwpk7r784fwr5h0lt4fhzj6cvaeckurla6wg29dqkrrz7a

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex #cex #moneroju #xmrbaazar #security #agorism #cypherphunk

Basically, the haveno network operator can give admin roles to ...

2025-03-03T03:26:50+01:00

In reply to nevent1q…rhne
_________________________

Basically, the haveno network operator can give admin roles to both taker and arbiter bots as well, which lets them ignore any rules in place. This speeds up things a lot since there’s no need to put down a security deposit for each taker bot, allowing all maker funds to be unlocked right away. These bots only work on the API level, so they don't mess with the user interface.

Because of this, it doesn’t really matter if you set up limitations on the frontend or the public API; the admin bots will always be able to access the protected API endpoints. This access is key to getting around rules like security deposits, rate limits, or any other client-side requirements for takers or arbiters.

The admin bots won’t use the public API, since developers would catch any shady changes to it. Instead, they’ll send requests to a protected API run by the network operator on a low-cost VPS for about $5 USD. Only the admin bots (taker and arbiter) will have the keys to access this protected API. This API will basically look like the public API but will have tweaks to bypass all those rules. So, only the maker will use the public API and will have to follow its rules.

To make things work, all you really need is the admin key, a protected API, and a few VPS servers for the taker and arbiter bots. These taker bots will throw the admin keys into the headers of their requests. If a normal taker tries to hit up the protected API without the admin keys, the request won't work. It’s actually pretty simple, and it might have been overlooked because of that.

Also, it’s good to remember that multi-signature setups only make sense when there’s no admin or network operator. The operator is always a single point of failure and can sidestep any limits on the API using their admin keys.

If anyone has a solid reason why this wouldn’t actually work, I’d love to hear it. When someone has the admin keys for their network, they can pretty much do whatever they want and set the rules while everyone else has to follow along.

To wrap it up, everyone in the haveno network, the taker, the arbiter, and the maker will get a key in the multi-sig trade. But there's also a fourth key, called the "magic key" that can do a bunch of powerful things, some of which could be a bit risky.

Reference: https://archive.ph/GsDsn
Thread: https://primal.net/e/nevent1qvzqqqqqqyqzqpg8r34v5d5z4ecxmc0c749cwjalaw4xu2ttpnh8zms0lhfepg450s7qlk
Interview: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex

OpenMonero response to Woodser haveno dev (haveno rug pull ...

2025-03-02T03:09:45+01:00

In reply to nevent1q…9lpx
_________________________

OpenMonero response to Woodser haveno dev (haveno rug pull scenario)

> a malicious arbitrator could attempt to take offers, hoping to be assigned trades and then unfairly award funds to themselves. however this risk can be mitigated by:

> a sufficient number of arbitrators - the best way to mitigate this risk is to have a sufficient number of honest arbitrators, so a dishonest arbitrator is unlikely to be assigned a trade before being detected and banned. this creates an economic incentive for arbitrators to act honestly and earn trade fees rather than risk exclusion

I totally agree that individual arbiters need to act honestly so they don't get banned by the network operator. But honestly, that's not the main issue here. The real risk of a rug pull attack (or exit scam) doesn’t come from those individual arbiters, but from the network operator, whom we’ll call "Reto." Reto has the power to assign arbiter roles, which is where the problem lies.

The network operator is a single point of failure because he can create as many arbiter roles as he wants since he holds the admin key. Sure, Reto might give a few trusted individuals arbiter roles to make things look decentralized and transparent. But he could just as easily assign a bunch of roles to bots he controls. Plus, Reto would be in charge of all the taker bots, since anyone can jump in and be a taker. This setup lets Reto secure a two-thirds majority in any disputes that come up.

So, when it comes to pulling off an attack in this scenario, the odds are nearly 99.99% in favor of success. That’s because, when the attack happens, most of the arbiters and takers will likely be bots, all under Reto's control, making them the real weak link in the system.

> arbitrator selection by the maker - the maker can select an arbitrator from a trusted list rather than relying on random assignment (the current default)

The network operator is probably going to kick out all the human arbiters before they carry out the rug pull. This means the makers won’t have any choice but to use arbiter bots. Plus, the makers won’t really have a chance to dispute anything because a taker bot will just send a fake "I have paid" message even though they haven't actually paid. Then, that taker bot will start a dispute, leaning on the arbiter bot to back them up and go after the maker's funds unfairly.

In the end, the arbiter will take the 15% security deposit from the maker, while the taker bot walks away with the trading funds and its own 15% security deposit. The key thing to remember here is that both the taker and arbiter bots are under the control of the network operator, so all that money ends up in their hands, leaving the maker with nothing.

> trade limits per client - restricting the number of active trades or funds at risk per client further reduces potential damage from a dishonest arbitrator

If you try to limit how many active trades takers can have, it won’t really make a difference because anyone can be a taker. So, the network operator (or reto admin) could just set up as many taker bots as they need to get around those limits.

> in contrast, centralized exchanges like localmonero, lm, etc require full trust in the platform operators, because they take full custody of traded funds and can easily steal them at that time

I totally agree with you that most p2p platforms (like centralized exchanges) usually hold full custody of the funds since they require pre-funding for trades. But OpenMonero is different because it doesn’t need sellers to fully fund their trades upfront thanks to its self-custodial trade funding setup. The platform can’t access all of the liquidity at once unless every seller decided to post their bonds at the same time, which is statistically improbable.

It’s also worth mentioning that LocalMonero used to lack the self-custodial trade funding option, meaning that seller funds were always at risk while they waited for trade requests. Right now, OpenMonero can only tap into a maximum of 2% of the total liquidity at any given time, unless every seller posts their externally funded bond at the same time, which remains statistically improbable.

So, we can say that OpenMonero acts like a centralized exchange, but the liquidity is actually decentralized thanks to the self-custodial trade settlements for buyers and self-custodial trade funding for sellers. I suggest checking out the examples on simplifiedprivacy.com for more insights, especially if you’re looking into advanced examples.

> reputation can be easily faked, so does not provide any guarantee of trustworthiness in trade partners

No system is perfect, but it's fair to say that having a reputation system is definitely better than having no verification at all. It’s worth mentioning that faking a reputation system isn’t easy and it requires a lot of money and time. Sure, someone could try to create fake trades on OpenMonero, but the system can pick up on that pretty quickly (for ex, if someone makes 1000 trades in a short period, that would definitely raise some eyebrows)

Sellers/Buyers can also check users' Telegram handles through trusted sites like localmonero.co or confirm PGP keys from reliable sources, including LocalMonero and imported profiles.

Plus, you can’t do coin-locking on OpenMonero since sellers need to fund trades manually. It’s not an automated process like on networks like Haveno, which really helps to reduce the chances of exit scams. When it comes to offers on OpenMonero, they’re not fully funded right away. You only need 0.35 XMR to list an ad in the search results. This is mainly to fend off spam listings, but it can also help fund smaller trades. If a trade is bigger, sellers have the option to use an external, fully isolated wallet to fund the transaction and keep themselves safe from any potential scams right from the start.

> they can collect and store sensitive trade details across all traders

I don’t have an admin panel to keep track of trades or messages, and users can set up self-destructing messages right after a trade or completely delete their accounts. This kind of feature probably wouldn’t work in decentralized systems since all data is saved on multiple nodes. Also, the OpenMonero wallet creates a new address every time you make a deposit to help keep your privacy intact.

> they're more likely to be shut down due to legal compliance, and you're left to find a new service

My identity is kept private, and OpenMonero vendors don’t have to go through any KYC checks, which means we can totally work outside of regulations. This works because the platform isn't custodial, it's open-source, and you can access it via Tor hidden services and I2P. So, even if the clearnet domain gets taken down by the authorities, the exchange would still run smoothly. Anyone can self-host the frontend or even fork the code to make their own OpenMonero version. Plus, we’re working on a Nostr-based version that lets anyone become an escrow provider or self-host the frontend without needing any backend. This would make it super resistant to censorship. Check out the interview for more details!

> ultimately users should consider the trustworthiness of the haveno network they're using and its arbitrators, but these networks provide greater decentralization, privacy, and control of funds than centralized services, which are a single point of failure

Most of my vendors don’t really need to trust me because they don’t have to download any software or put down trading funds upfront to get trade requests (unlike Haveno). This really cuts down the chances of exit scams right from the start, and it keeps their personal files safe from malicious access. The OpenMonero web app runs smoothly in any browser and doesn’t connect to the user’s system, which is way different from Haveno that needs to be installed and has a daemon running all the time on your computer (definitely a recipe for keyloggers and shady auto updates). Plus, the built-in non-custodial wallet in Haveno isn’t very secure since malicious updates could come with keyloggers to snag your private keys. But with OpenMonero, vendors can fund their bonds using totally isolated wallets like Cake Wallet, Moneroju, Monero Wallet CLI, Feather Wallet, Trezor, and more.

The Haveno platform mainly looks out for the network operators, but it doesn’t really do much to protect market makers. This leaves them open to the risk of exit scams since the liquidity, the most important asset, is fully controlled by the network operator.

Also, let’s be clear: Haveno isn't truly decentralized. Accounts and order books don’t get shared between different Haveno instances, which creates a fragmented setup that’s kind of like a local network. The system would work a lot better if there was one big network where accounts and offers were merged from various instances instead of just having this isolated system run by a single operator. That’s not how decentralization should work.

When we talk about fund security, decentralization isn’t the most important factor. What really matters are things like how quickly trades get finalized, self-custodial trade settlements and self-custodial funding, along with a solid reputation system. Without a reputation system, there’s no trust between trading partners. Plus, if we don’t have self-custodial settlements or funding, the admin could easily run off with all the liquidity.

I’d love to keep the conversation going if you have any other points you want to bring up. I think Haveno does a pretty good job of protecting network operators, and I really appreciate that it’s open-source!

However I think OpenMonero is more safe (multi-sig vs self-custodial) and has 98% less risk of total liquidity being jeopardized at all times. The occurrence of exit scams is relatively low within this model.

Reference: https://archive.ph/GsDsn
Interview: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

#Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides #Bisq #cakewallet #haveno #retoswap #trading #p2p #escrow #localmonero #dex

http://openmonero.i2p frontend can be self-hosted as well ( ...

2025-03-01T22:52:35+01:00

In reply to nevent1q…4dw6
_________________________

http://openmonero.i2p

frontend can be self-hosted as well ( https://openmonero.com/readme)

I could do shotgun scamming but exit scamming is not really ...

2025-03-01T22:32:32+01:00

In reply to nevent1q…jnfc
_________________________

I could do shotgun scamming but exit scamming is not really possible due to self-custodial trade fuding (sellers) and self-custodial trade settlements (buyers). Plus the nostr based version is almost finished.

Build from source Recommended node version (use nvm): v14.21.3 ...

2025-03-01T22:16:19+01:00

In reply to nevent1q…uhpx
_________________________

Build from source

Recommended node version (use nvm): v14.21.3

sudo apt install torsocks
torsocks git clone http://rf5cqoxqlitdx4umuce5dgihjzabql4hs3zjkvs3em7xzjfa5yyhkeqd.onion/om/openmonero-reactjs.git
cd openmonero-reactjs
npm install
npm start

Yes, check the openmonero-reactjs repo hosted on forgeo. Link is ...

2025-03-01T22:13:10+01:00

In reply to nevent1q…uhpx
_________________________

Yes, check the openmonero-reactjs repo hosted on forgeo. Link is in the popup if you click the "Open source arttribute" inside "Why use our service". Its the same code and can be self-hosted over tor hidden service.

For added security, the mobile app is not native (PWA) to have ...

2025-03-01T17:22:13+01:00

In reply to nevent1q…mfdh
_________________________

For added security, the mobile app is not native (PWA) to have isolation from the filesystem. The web app is built with reactjs (selfhosting with docker possible), while the nojs version is based on php (codeigniter 4 framework)

Its already under construction. Quote Simple: That’s cool, so ...

2025-03-01T16:28:51+01:00

In reply to nevent1q…7u74
_________________________

Its already under construction.

Quote Simple: That’s cool, so in the future, this can work entirely as a front-end javascript linked to Nostr? Then the site itself could be on Arweave or IPFS.

Quote OpenMonero: The decentralized exchange will offer a selection of various escrow providers, arbitrators, and instances for users to choose from. Users will not be required to create accounts with each individual provider. All escrow providers utilize the same backend code, and to engage with a specific provider, one merely needs to be aware of its domain (no additional configuration or setup is required).

Trusted escrow providers will be hardcoded into the code, while untrusted providers will be accessible through an integrated distributed hash table (DHT) network. The utilization of a DHT is crucial, as hardcoded directories are inherently susceptible to censorship. Furthermore, this approach surpasses that of a federated network, since defederation is neither necessary nor possible; the reputation system in place effectively mitigates spam from the outset.

Source: https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

https://openmonero.com/readme or https://nojs.openmonero.com ...

2025-03-01T16:20:51+01:00

In reply to nevent1q…5fzn
_________________________

https://openmonero.com/readme
or
https://nojs.openmonero.com => click the 'Open source code attribute' inside 'Why use our service'

The Haveno network operators can steal 3177 XMR, assuming the ...

2025-03-01T15:54:11+01:00

In reply to nevent1q…e8lv
_________________________

The Haveno network operators can steal 3177 XMR, assuming the investment stays safe and comes back to the taker bots. Once the investment returns, the same taker bot can just do the same thing again. In theory, one taker bot with an amount of XMR equal to the highest maker security deposit could clear out the entire order book since its balance goes up with every completed trade. So, it’s really just a matter of time before the whole order book is wiped out. Even worse, if you’ve got multiple taker and arbiter bots working simultaneously, you could clear the whole order book in just a second. All you need.

The reason is that a shady arbiter bot backs the taker bot and will side with them in any disputes. Moreover, the arbiter bot can also hit all the market makers with penalties, taking away their 15% security deposits.

You don't really need to invest a lot to liquidate the entire order book and my examples are not necessary (unless you want to clear the order book in the first round) as the balance of each taker bot demonstrates substantial, logarithmic growth following each transaction. This is because taker bots always go for the highest maker offer in the pot first.

#haveno #monero #rugpull #scam #hacking #opsec #xmr #retoswap #havenoreto #openmonero #exitscam

If the openmonero website goes down, the damage would be minimal. ...

2025-03-01T15:29:35+01:00

In reply to nevent1q…589c
_________________________

If the openmonero website goes down, the damage would be minimal. On the other hand, if the Haveno arbiter bots go rogue, they could rug pull at least 3177 XMR + 15% security deposits of all market makers. The difference is that openmonero's offers aren’t pre-funded, so there’s not much to steal.

#haveno #monero #rugpull #scam #hacking #opsec #xmr #retoswap #havenoreto #openmonero #exitscam

That exactly how openmonero works; Quote from the interview ...

2025-03-01T14:58:43+01:00

In reply to nevent1q…gmgj
_________________________

That exactly how openmonero works; Quote from the interview recorded on simplifiedprivacy

The minimum requirement of 0.35 XMR security deposit for sellers on OpenMonero is there to help cut down on spam offers. While it’s not really meant to fund an offer, you can still use it for that (or just fund the difference) as long as the buyer’s trade request is no more than the security deposit.

Both the seller and the buyer can cancel a trade request if they feel like the other person isn't trustworthy since no xmr is locked at this early stage. Right now, the seller is chatting with the buyer and checking out their reputation, looking at things like how long they've been registered and what kind of feedback they've received. Should all evaluations meet satisfactory criteria, the seller has the option to secure an arbitration bond utilizing either an internal wallet (security deposit) or an external wallet (such as Cakewallet, Moneroju, Feather Wallet, Monero CLI Wallet, etc.)

For big trades, the seller might choose to fund the bond from a separate external wallet to avoid any potential scams from the arbitrator right from the start. On the other hand, for smaller trades, its usually easier for the seller to just use the internal wallet (security deposit) for the bond. By allowing both types of wallets for funding, the platform strikes a good balance between keeping things liquid and secure.

If there weren’t an option for external bond funding, there's a chance that an arbitrator could run off with all the money. But because funding is done manually, it really cuts down the risk of good exit scams or bots locking up coins.

#haveno #monero #rugpull #scam #hacking #opsec #xmr #retoswap #havenoreto #openmonero #exitscam

Nothing would stop the Haveno network operators from making ...

2025-03-01T14:37:25+01:00

In reply to nevent1q…lxu2
_________________________

Nothing would stop the Haveno network operators from making automated fake orders if the money pool gets big enough. The Haveno pot gets bigger with each new offer, while more offers on OpenMonero don’t necessarily mean more XMR in the pot since vendors only need to put down a security deposit of 0.35 XMR to list as many offers as they want. So, you could see 1,000 offers from different vendors on OpenMonero, but the admin might only hold 350 XMR (1,000 offers x 0.35xmr) in custody because of how self-custodial trade funding works.

It’s also worth mentioning that a decent exit scam usually needs to involve at least 1 million dollars; no one’s going to pull an exit scam for just 80k (1,000 offers x 0.35 XMR x 231 USD). OpenMonero was redesigned in Nov 2024 to help prevent exit scams from happening in the first place.

#haveno #monero #rugpull #scam #hacking #opsec #xmr #retoswap

Reference: https://rl.bloat.cat/r/Monero/comments/1h4icot/is_haveno_anymore_secure_than_trading_with_a/

Its hosted on forgeo on a tor hidden service. Go to ...

2025-03-01T12:23:57+01:00

In reply to nevent1q…5fzn
_________________________

Its hosted on forgeo on a tor hidden service. Go to openmonero.com and click the "Open source code" attribute inside "Why use our service"

Thank you for adding openmonero.com to the list. 🤙

2025-03-01T12:14:29+01:00

In reply to nevent1q…sx53
_________________________

Thank you for adding openmonero.com to the list. 🤙

Hello Nostr! I'm the dev behind OpenMonero.com This is my ...

2025-02-27T15:22:43+01:00

Hello Nostr! I'm the dev behind OpenMonero.com

This is my first post. I'm here to bring transparency and harm reduction. Check out my latest audit for haveno: Shady arbiters can steal the entire liquidity from the order book. All you need is just 2 bots. Its crazy.
https://simplifiedprivacy.com/openmonero-interview-with-the-dev/compared-to-reto.html

Issue confirmed by official monero moderator on dread: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/4e7e530582ff902b6903/#c-cac5570453f7fa9f42
Quote from /u/monero_desk_support: After some thoughts, I think you are right and that the arbitration system in Haveno doesn't prevent arbitrators from pulling the funds. They would need to create a bot that takes all the offers and automatically unlock the funds with the key of the taker and arbitrator

#introductions #Privacy #Markets #HiddenService #News #Work #Monero #Crypto #Hacking #HarmReduction #Guides