Case file · Exchange
Bisq
A decentralized exchange that is software, not a company. No account, no KYC, funds in 2-of-2 multisig you control.
The systematized overview
The bureau vs the internet.
7.5/10 · Guaranteed no-KYC
On identity, Bisq is close to flawless: no account, no email, no KYC, funds held in multisig you co-control. The serious asterisk is security - the Bisq 1 trade protocol has a repeated pattern of logic exploits, including 11.59 BTC stolen in May 2026, and as of our review Bisq 1 trading remains halted for security remediation with critical audit findings outstanding. Past victims were reimbursed via the DAO, but the risk is real and current - treat this as a live, provisional verdict.
3 recurring praises · 3 recurring gripes
Most praised: genuinely non-custodial and no-kyc, with strong privacy. Most cited downside: app is sluggish with a steep learning curve.
We track our editorial score and community sentiment separately — neither moves the other. Read together, they're the systematized overview.
The facts
Custody & jurisdiction.
- Jurisdiction
- No legal entity; the Bisq DAO (BSQ token governance)
- Custody
- Non-custodial - 2-of-2 multisig controlled by the two traders
- Escrow
- 2-of-2 multisig + refundable 15%-50% security deposit (Bisq 1)
- Traded
- BTC + fiat, plus altcoins incl. XMR/BTC (Bisq 1)
- Fiat rails
- No - fiat moves directly between traders
- Payment methods
- Many; full list on the Bisq payment-methods wiki
- Payment privacy
- Tor by default; XMR/BTC market exists; payment details shared peer-to-peer only
- Disputes
- Chat, then mediation, then arbitration - agents hold no multisig key
- KYC trigger
- None - no account and no identity requirement exists
- Open source
- Yes - AGPLv3, github.com/bisq-network
- Audited
- A 2026 audit surfaced critical findings (remediation ongoing); no earlier named report found
- Operating since
- 2016 (Bisq 1); Bisq 2 / Bisq Easy newer
The full read
Our analysis, in plain words.
Bisq answers the "what if the exchange itself is the threat" question by removing the company entirely. It is open-source software run by a DAO, with no signup, no email and no KYC, and funds held in a 2-of-2 multisig that only you and your trading partner can move - not Bisq, not a mediator. On privacy and custody design it is about as strong as this category gets, and a specialist no-KYC directory (kycnot.me) scores its privacy 99/100.
The problem is not identity or custody betrayal - it is code. The Bisq 1 trade protocol has been exploited more than once through logic bugs: the 2020 donation-address attack (~3 BTC + 4,000 XMR) and, more seriously, a May 2026 negative-miner-fee bug that let an attacker drain 11.59 BTC from ten users. Following a mid-2026 security audit, Bisq 1 trading was halted for remediation, which remained the live status as we reviewed it.
Two things keep Bisq respectable despite that: the DAO moved to make victims whole rather than disappearing (fully reimbursing the 2026 losses, and proposing repayment for 2020), and the newer Bisq 2 / Bisq Easy path avoids the vulnerable v1 protocol (at the cost of small trade limits and a seller-reputation system). Our verdict reflects the split honestly - privacy near the top of the category, reliability near the bottom because the core product is halted mid-remediation - which is exactly the kind of trade-off a buyer deserves to see before trusting a platform with a transfer. Treat the Bisq score as provisional until trading resumes and the critical findings are patched.
The score, broken down
How the 7.5 is built.
Privacy
weight 50%What identity, data and metadata the service can demand or collect.
92 × 50% = 4.6 of 10
Trust
weight 30%Whether it can technically deliver what it claims — code, audits, age.
74 × 30% = 2.2 of 10
Reliability
weight 20%Whether the no-KYC claim holds under real-world pressure.
35 × 20% = 0.7 of 10
Weighted total 7.5 / 10 · no reliability rule triggered, so the score stands. See the rubric →
Every point, sourced
What earned the score.
Privacy
The fine print, read for you
The clause they bury.
“Bisq requires no registration or KYC, protecting your privacy.”
What it meansThere is no signup step at all - no email, no account. Combined with 2-of-2 multisig that even Bisq mediators cannot unilaterally move, the no-KYC posture is structural, not a revocable promise.
Read the source →“The taker defines the miner fee for the trade transactions and passes that value to the maker. This value was not validated against negative numbers, allowing the attacker to cause the maker to calculate an incorrect output value for the multisig output.”
What it meansThis is the May 2026 exploit in Bisq’s own words - a logic bug in the Bisq 1 trade protocol that let an attacker drain 11.59 BTC from 10 users. It was not a KYC or custody betrayal, but it shows the v1 protocol is the risky surface. Prefer Bisq 2 / Bisq Easy for smaller trades.
Read the source →None. Bisq never asks for identity - there is no account, no email, and fiat moves directly between traders. The constraints are economic (a refundable 15%-50% security deposit on Bisq 1) and, on Bisq 2 / Bisq Easy, a seller reputation score - not identity verification.
Policy review — point by point
-
No identity clause anywhere
There is no account and no terms surface that reserves a right to demand ID; the FAQ confirms no registration or KYC. ↗
-
Mediators cannot seize funds
Since v1.2, trade funds sit in 2-of-2 multisig controlled only by the two traders; dispute agents hold no key. ↗
-
Repeated trade-protocol exploits
The v1 protocol was exploited in 2020 and again in May 2026 (11.59 BTC), with a 2026 audit-driven trading halt following. ↗
Bisq is explicitly "not a company or legal entity of any kind" - it is governed by the Bisq DAO through the BSQ token. That makes it extremely resistant to being shut down or compelled, but it also means there is no incorporated entity, no stated jurisdiction, and your recourse after an incident is a DAO reimbursement vote rather than a legal claim.
We keep watching
Incident & policy timeline.
- Apr 2020
Donation-address exploit: ~3 BTC + 4,000 XMR stolen
An attacker abused the v1 fallback "donation address" mechanism in the XMR/BTC market, taking roughly 3 BTC and 4,000 XMR from 7 victims. Trading was disabled via the alert key and fixed in v1.3.0; the DAO proposed to repay the 7 victims from future trading revenue.
source ↗ - May 2026
Negative-miner-fee exploit: 11.59 BTC stolen
A second Bisq 1 protocol logic bug (an unvalidated negative miner fee) let an attacker drain 11.59 BTC from 10 users on altcoin trades. Bisq noted the vulnerability was found using AI-assisted analysis. Affected users were fully reimbursed in BTC (completed June 2026) via "Refund Angels" advancing funds subject to a DAO vote.
source ↗ - Jun–Jul 2026
Precautionary Bisq 1 trading halt after audit
Following a security audit that surfaced critical findings, Bisq 1 trading was halted to remediate and, as of our review, remains paused. Existing trades could complete; Bisq 2 and the Haveno fork were reported unaffected. Re-check current status before trading.
source ↗
The verdict
Where it stands.
Strengths
- No account, no email, no KYC - among the strongest privacy profiles anywhere
- Non-custodial: funds sit in 2-of-2 multisig you co-control, not with Bisq
- Fully open source (AGPLv3) with transparent DAO governance
- Reimbursed exploit victims through the DAO rather than walking away
Trade-offs
- The Bisq 1 trade protocol has a repeated pattern of logic exploits (2020, 2026)
- Bisq 1 trading remained halted for security remediation as of our review
- No named independent audit report exists prior to 2026
- Sluggish app, steep learning curve, and thin liquidity in many markets
- High security deposits (15%-50%) to open a Bisq 1 trade
Across the internet
What reviewers report.
Consistently praised
- Genuinely non-custodial and no-KYC, with strong privacy
- DAO reimbursed exploit victims rather than vanishing
- Reliable core P2P functionality for patient users
Recurring complaints
- App is sluggish with a steep learning curve
- Thin liquidity in many markets; high security deposits
- Repeated Bisq 1 security incidents shake confidence
Sentiment is a mix of deep respect for the privacy model and frustration with UX, liquidity and - increasingly - security incidents. Reddit threads were not directly reachable during research; this synthesis leans on the independent kycnot.me listing and Bisq’s own post-mortems and should be refreshed with a manual forum pass.
Ask the bureau
Bisq, common questions.
Does Bisq require KYC or an account?
No. Bisq is software, not a company - there is no registration, no email, and no identity check. Funds are held in a 2-of-2 multisig that only you and your counterparty can move, which is why we rate it KYC level 0.
Is my money safe on Bisq?
Custodially, yes - Bisq cannot touch your funds. But the Bisq 1 trade protocol has suffered repeated logic exploits (11.59 BTC was stolen in May 2026), and trading was halted for audit remediation during our review. Victims have been reimbursed by the DAO, but treat Bisq 1 as higher-risk and prefer Bisq 2 / Bisq Easy for small trades.
What is the difference between Bisq 1 and Bisq 2?
Bisq 1 is the classic 2-of-2 multisig protocol - flexible and higher-limit, but the surface that suffered every exploit. Bisq 2 / Bisq Easy is newer, reputation-based, has zero trade fees and no security deposit, but caps trades small (roughly $6-$600).
Why is reliability scored so low if it is non-custodial?
Because reliability measures whether the service holds up under real-world pressure, and Bisq 1 has been exploited more than once with a live trading halt during our review. Non-custodial protects you from Bisq stealing funds; it does not protect you from a protocol bug an attacker can exploit.
Your exact case not covered? The live Ask the bureau answers it and turns it into a public FAQ.