Bisq (classic)

Bisq (classic) is the original, battle-tested P2P BTC↔fiat exchange protocol — multisig escrow with arbitrator-mediated dispute resolution, decentralised peer-to-peer trading over Tor, desktop application running locally on your machine, no KYC under any circumstances. Listed at Grade A for the structural strengths (protocol-escrow, named-arbitrator dispute path, multi-year operational history) and for being the canonical reference P2P exchange in the privacy-tooling space. Critical context: a 2026-05 v1-protocol exploit is in active remediation — see the dedicated section below. Recommended posture: update to patched v1.9.x+ before any trade, and prefer Bisq Easy (Bisq 2) for new trades where it covers your use case.

Active incident (2026-05-01). On 2026-05-01 a v1 trade-protocol exploit was disclosed and exploited — a missing validation on negative network-fee values allowed an attacker to drain approximately 11.59 BTC from active/open offers. The Bisq Network responded by halting trading via an emergency version flag until clients updated to a patched version. The post-mortem is published at bisq.network/blog/security-incident-post-mortem/. Curator advice: (1) update to Bisq v1.9.x+ (the patched line) before any trade; (2) verify signed releases before running (Bisq's signed-release workflow is documented on the website); (3) for new trades, prefer Bisq Easy (Bisq 2) which uses a different protocol surface and was not affected by this v1-specific exploit. The Grade A is held *with the incident context flagged* — the exploit is severe but the protocol's response (emergency-flag halt, public post-mortem, patched release) is the response we'd want; the underlying lesson is that complex protocol-escrow surfaces have a non-trivial attack surface, and Bisq Easy's reputation-gated simpler-surface model is the lower-attack-surface alternative for small trades.

Background. Bisq (originally "Bitsquare") was launched as an open-source desktop P2P Bitcoin exchange in 2014 by Manfred Karrer, with the design goal of providing decentralised non-custodial Bitcoin trading without a central operator. Renamed to "Bisq" in 2017, the project transitioned to a contributor-DAO governance model with the BSQ token aligning long-term contributor incentives. Has been operating continuously for 10+ years — the longest-running decentralised P2P Bitcoin exchange. Open source under the AGPL license. The protocol uses 2-of-2 multisig escrow (buyer + seller signatures, with arbitrator key as a third-party fallback for disputes) and operates over Tor by default — every Bisq client routes traffic through Tor onion services for both peer discovery and trade communication. Bisq Easy (a.k.a. Bisq 2) is the newer streamlined chat-based mode launched in 2023; it's listed separately at xmr.club under id `bisq-easy`. The two coexist — Bisq classic for protocol-escrow heavy-duty trades (typically $1k+), Bisq Easy for reputation-gated small trades ($50-$500).

What you trust. 2-of-2 multisig escrow — both buyer and seller deposit BTC into a multisig wallet at trade open; cooperation between buyer and seller releases funds at trade complete; if the trade fails, the arbitrator's key can co-sign the release based on evidence from the dispute. Arbitrators are named community members — not anonymous oracles but Bisq Network contributors with public reputation and a deposit at stake. Tor by default — every Bisq client routes through Tor; no operator-facing IP leakage, no centralised meeting point that could be subpoenaed. No central operator — Bisq Network is a contributor-DAO with no company to subpoena; the application is open-source AGPL and the protocol is the only enforcement layer. Reputation-stakes for arbitrators — arbitrators have published identities and are accountable for their decisions; an arbitrator who acts in bad faith loses their position and deposit. The 2026-05 incident exposed: that the v1 trade protocol had a missing validation that allowed a fee-related attack. The trust model wasn't structurally broken (the multisig escrow still works as designed) but the protocol surface had a specific bug that needed remediation. Post-remediation, treat Bisq classic as "battle-tested with a recent visible patch cycle."

Operational specs. Platform: desktop app (macOS, Windows, Linux) — no web client, no mobile. Distributed via bisq.network with signed releases. Trading pair: BTC ↔ fiat (USD, EUR, GBP, JPY, and many local currencies) + BTC ↔ many altcoins (LTC, BCH, etc.; note Bisq classic supports altcoin pairs that Bisq Easy doesn't). Payment methods: SEPA bank transfer, F2F (face-to-face) cash, gift cards (specific brands), Revolut, Wise, Zelle (US), Interac e-Transfer (Canada), and many region-specific options. Trade size: $200-$50k+ typical; larger trades take longer to clear (multisig + arbitration timeline is structurally days-not-minutes). Trade timeline: hours for fast payment methods (SEPA fast, Wise) to days for slower fiat-clearing methods; the protocol is intentionally not optimised for speed. Fees: 0.1-0.7% trade fee (BSQ holders pay the lower end via fee-discount mechanism); plus multisig on-chain costs (BTC fees). No KYC under any circumstances — there is no KYC mechanism in the protocol; identity is a persistent pseudonym tied to your trade history and (optional) BSQ holdings. Arbitration: named arbitrators with public identities; disputes escalate through a defined process with evidence submission and arbitrator decision. Open source AGPL — anyone can audit; anyone can fork.

Philosophy. Bisq classic's editorial differentiator is the protocol-escrow-with-arbitration model — the strongest trust posture in any P2P fiat exchange. Bisq Easy uses reputation (no protocol escrow; fast for small trades). RoboSats uses Lightning hold-invoices (protocol escrow without on-chain cost; fast but Lightning-only). Bisq classic uses on-chain multisig with named arbitrators (heavyweight but bulletproof for large fiat→BTC trades). The trade-off: operational overhead — running the desktop app, waiting for multisig confirmations, accepting that disputes take days, accepting that the trade-timeline is hours-to-days not minutes. For large fiat→BTC trades where the trust math matters more than the speed, Bisq classic is the canonical pick. The 2026-05 incident is a reminder that even battle-tested protocols have non-zero attack surface; the response (rapid halt + patch + public post-mortem) is the model the privacy ecosystem hopes for from incident-handling.

Grade rationale. Grade A reflects: 10+ year operational continuity (the longest-running decentralised P2P BTC exchange); open-source AGPL codebase; decentralised contributor-DAO operator structure (no central party to subpoena); no KYC under any circumstances; 2-of-2 multisig escrow with named-arbitrator dispute path (the strongest trust model in P2P fiat exchanges); Tor-by-default architecture; broad payment-method coverage (SEPA, F2F, Wise, Revolut, Zelle, Interac, etc.); altcoin-pair support that Bisq Easy doesn't carry; cross-listed in KYCnot and web3privacy peer directories. The Grade A acknowledges the 2026-05 v1-protocol incident — the response (emergency halt, patched release, public post-mortem) is the model we'd want, so the incident itself is an observed-and-handled rather than an outstanding-risk. Re-evaluation trigger: if v1.9.x+ patched releases see secondary incidents in the next 90 days (2026-08-01), the grade is at risk. Last verified 2026-05-12, incident verified 2026-05-21.

Useful when. You're doing a large fiat→BTC trade ($1k+) and want the strongest trust posture available in P2P fiat exchanges (multisig escrow + named arbitrator dispute path). You're trading altcoins peer-to-peer — Bisq classic supports altcoin pairs (LTC, BCH, etc.) that Bisq Easy doesn't. You're in a region where Bisq's payment-method coverage (SEPA, F2F, Wise, Revolut, Zelle, Interac, plus region-specific options) is more comprehensive than alternative P2P platforms. You're comfortable with the desktop application, the multi-day trade timeline for slower payment methods, and the multisig confirmation choreography. You've been a Bisq user historically and want to continue with the protocol you trust. For new users with sub-$1k trades: consider Bisq Easy first — it covers small trades with less operational overhead and was unaffected by the 2026-05 v1 incident.

Caveats. 2026-05 v1-protocol incident remediated — update to v1.9.x+ before any trade; verify signed releases before running; see dedicated section above. Desktop only — no web client, no mobile; if you don't run a desktop OS or refuse to install a desktop app, Bisq classic isn't an option. Operationally heavy — multisig on-chain confirmations + multi-day fiat-clearing methods mean trades clear in hours-to-days, not minutes. Steep learning curve — Bisq's UI is engineering-tool-aesthetic; first-time users should expect to read documentation and run small trades to build familiarity. Initial blockchain sync — Bisq downloads the BTC block headers and Tor onion-routing state on first run; expect 5-20 minutes setup before the first trade. Smaller liquidity than custodial alternatives — for the same convenience you'd get from a centralised exchange, expect to pay a small protocol-overhead premium. BSQ token is a separate evaluation — Bisq's governance/fee-discount token has its own market dynamics; treat BSQ holdings as protocol participation rather than as a trade-able asset. No native XMR support — Bisq classic is BTC-only on the buy-side; for fiat → XMR P2P, use Haveno (Monero-native fork of Bisq). Arbitrator-dispute timeline — when a trade goes to arbitration, expect days for evidence submission and arbitrator decision; this is the price of the protocol-escrow model.

2026-05-25 update. Per Grok x_search and Bisq community channels: the Bisq DAO is voting on a compensation plan for users affected by the 2026-05-01 incident, with reimbursement proposed in BTC or BSQ from DAO reserves. The vote was scheduled around 2026-05-25; outcome should be public on the Bisq Network's governance forum shortly after. This is a meaningful editorial point in favour of the Grade A: the protocol's response now includes both a patched release and a structured DAO-governance compensation process — exactly the response shape privacy infrastructure wants to see from incident-handling. Affected users should monitor https://bisq.network and the Bisq DAO governance discussion for the vote outcome. The conditional A grade is held with the 90-day re-evaluation trigger (2026-08-01) still in place pending DAO vote outcome + sustained operation on the patched code.