On 2026-05-20, security researchers flagged an exploit against RetoSwap, a Haveno-based Monero DEX. PeckShield's early estimate puts the drain at around 7,000 XMR pulled from on-chain multisig escrows — preliminary, and subject to revision. This is not a Monero protocol failure. It's a smart-contract-style failure in the escrow layer sitting on top of Monero.
TL;DR: RetoSwap, a fork of the Haveno P2P Monero DEX, was exploited on 2026-05-20. Funds sitting in multisig escrow were drained. Monero itself is unaffected. The incident is a reminder that where your coins sit during a swap — and for how long — is the security question that matters.
What happened on 2026-05-20
RetoSwap is a community fork of Haveno, an open-source peer-to-peer exchange for Monero modeled on Bisq. Trades on these platforms use 2-of-2 or 2-of-3 multisig escrows on-chain: buyer, seller, and arbitrator each hold a key, and funds release when two parties sign.
Per PeckShield's 2026-05-20 thread, an attacker exploited a flaw in how RetoSwap's escrow contracts validated signature ordering, allowing unilateral withdrawal from a subset of open trade escrows. The Haveno core team published a statement the same day clarifying that the upstream Haveno reference client was not affected — the bug appears specific to RetoSwap's fork.
Monero's network status page reported no chain-level anomalies. Blocks produced normally, the ring signature set was untouched, and Bulletproofs+ verification continued without issue. The loss happened entirely at the application layer.
Why this is an escrow-layer failure, not a Monero failure
It's worth separating three distinct things people call "Monero security":
- Protocol security — ring signatures, stealth addresses, Bulletproofs+, RingCT. Unaffected here.
- Wallet security — key management, seed phrases, view keys. Unaffected here.
- Application-layer security — exchanges, swap services, escrow contracts, custody software. This is where RetoSwap failed.
DEX-style platforms built on multisig escrow inherit a specific risk: as long as your coins are locked in escrow waiting for a counterparty signature, they sit in a contract whose code can have bugs. That window can be minutes for a fast trade, or hours-to-days if a counterparty is slow to respond. During that window, the escrow's correctness — not Monero's — is what protects you.
Attack surface: where do your coins sit during a swap?
Different swap architectures have different custody windows. Roughly:
| Swap architecture | Where funds sit | Typical window |
|---|---|---|
| Centralised exchange (account-based) | Exchange's hot/cold wallets | Indefinite — until you withdraw |
| P2P DEX with multisig escrow (Haveno-style) | On-chain multisig contract | Minutes to days, depending on counterparty |
| Atomic swap (HTLC-based) | HTLC contract on both chains | Minutes to ~hour |
| Pass-through swap aggregator | Aggregator's transient routing wallet | Typically ~8 minutes at the p50, up to ~30 at the p95 (per GhostSwap product metrics) |
The RetoSwap incident hit the second row. The escrow contract held funds, the contract had a bug, the funds were extractable.
This is structurally different from how pass-through swap services work. In a pass-through model, the service doesn't hold an open escrow position — it receives your incoming coin, routes through aggregated liquidity, and forwards the output coin. The custody window is typically ~8 minutes at the median and up to ~30 minutes at the 95th percentile (per GhostSwap product metrics), not minutes-to-days. Different model, different surface.
That's not a claim that pass-through is safer in all cases — both models have failure modes. It's a claim that the failure modes are different, and the RetoSwap exploit was specific to the escrow-contract model.
What Monero users should actually do this week
- If you had open trades on RetoSwap — check the official RetoSwap channels for the canonical loss-recovery process. Do not trust DMs offering "refund services." Phishing always follows incidents like this.
- If you use Haveno (the reference client, not RetoSwap) — the Haveno team's 2026-05-20 statement says the upstream client is unaffected. Update to the latest release anyway; security audits often surface adjacent issues.
- If you were planning to use RetoSwap — wait. The team will need to ship a fix, get it reviewed, and re-launch escrow contracts. Use alternatives in the meantime.
- If you hold XMR in a wallet you control — you are not affected. The exploit did not touch the Monero base layer or individual wallets.
How GhostSwap's pass-through model differs
GhostSwap is a no-KYC, non-custodial swap aggregator. No account, no email. Funds pass through; they are not held in long-lived escrow.
When you swap BTC for XMR via GhostSwap's BTC to XMR pair page, here's the flow:
- You enter the amount and your receiving XMR address.
- You send BTC to a deposit address generated for your swap.
- GhostSwap routes through aggregated liquidity from leading crypto markets.
- XMR arrives at your address. Median completion ~8 minutes; p95 ~30 minutes (per current product metrics).
There's no open escrow position, no multisig waiting on a counterparty signature, no contract holding funds while two humans coordinate. That removes the specific failure mode that hit RetoSwap. It does not remove all failure modes — pass-through services have their own risks (routing wallet compromise, liquidity-source counterparty risk) — but it's a different risk profile.
GhostSwap supports 1,600 pairs across BTC, ETH, XMR, SOL, and altcoin networks, with floating-rate pricing from aggregated liquidity. No KYC for swaps.
FAQ
Q: Did the RetoSwap exploit affect Monero itself?
A: No. Monero's protocol, network, and wallet software were unaffected. The exploit targeted RetoSwap's escrow contract logic — application-layer code that runs on top of Monero, not Monero itself. Per the Monero network status page on 2026-05-20, the chain operated normally throughout.
Q: Is Haveno safe to use?
A: The Haveno core team's 2026-05-20 statement says the upstream Haveno reference client was not affected — the bug appears specific to RetoSwap's fork. That said, any multisig-escrow DEX inherits escrow-contract risk by design. Use the latest reference client, follow the official release channels, and size trades to what you can afford to wait out.
Q: How is a no-KYC swap aggregator different from a DEX like RetoSwap?
A: Architecturally: a DEX uses on-chain escrow contracts that hold funds until counterparties sign. A pass-through swap aggregator like GhostSwap accepts your incoming coin, routes through aggregated liquidity, and forwards the output. The custody window is typically ~8 minutes at the median, up to ~30 at the 95th percentile — short, and not gated on a counterparty signature. Different architecture, different attack surface.
Q: What should I do if I had an open trade on RetoSwap when the exploit hit?
A: Check the official RetoSwap announcement channels for the canonical loss-recovery process and any whitehat-fund details. Do not respond to unsolicited DMs offering "recovery" or "refund" services — those are almost always phishing. If you posted bond or had funds in escrow, the RetoSwap team's official channels are your only reliable source.
For a concrete alternative while RetoSwap is paused, see the GhostSwap homepage swap widget — no account, no KYC, 1,600 pairs supported.
