On 2026-05-20, attackers drained user funds from RetoSwap — a popular Haveno fork that lets users trade Monero peer-to-peer through a decentralised arbitrator network. PeckShield estimates the loss at roughly 1,890 XMR (~$340,000 at the time of the incident). The exploit targeted a flaw in the multisig escrow contract used to hold trade collateral, not Monero's base layer. Monero itself was not compromised.
TL;DR: RetoSwap (a Haveno fork) lost ~1,890 XMR to a multisig escrow exploit on 2026-05-20. Monero's protocol is unaffected. If you were mid-trade on RetoSwap, your funds may be at risk; if you need to move XMR now, route through a non-custodial swap that does not pool user collateral.
What happened on 2026-05-20
RetoSwap is a community fork of Haveno, the open-source Monero-native P2P trading platform. Trades on these platforms are escrowed in 2-of-3 multisig wallets — buyer, seller, and arbitrator each hold one key — so that no single party can move funds unilaterally.
According to PeckShield's initial post-mortem (retrieved 2026-05-20), the attacker exploited a signing-flow bug that allowed a malicious arbitrator to combine signatures across multiple unrelated trades. Once combined, the attacker could move escrowed XMR out of dozens of in-flight trades simultaneously. The drain ran for roughly 47 minutes before RetoSwap operators paused the arbitrator pool.
The Haveno project responded the same day (retrieved 2026-05-20), confirming that the vulnerability exists in code Haveno itself ships and recommending all operators of Haveno forks pause new trades until a patched build is released. Monero core developers separately confirmed on monero.org (retrieved 2026-05-20) that the Monero protocol, ring signatures, and FCMP++ rollout are all unaffected — the bug lives in the trading-layer escrow logic, not in Monero itself.
What this means for Monero swap security
The broader takeaway is not "P2P trading is broken." It is more specific: any system that pools user funds in shared escrow — even a 2-of-3 multisig — concentrates risk at the escrow logic. When the logic has a flaw, every in-flight trade is exposed at once.
Three categories of XMR movement, ranked by surface area of pooled risk:
- Centralised exchanges with custody. All user XMR sits in exchange wallets. If the exchange is hacked or insolvent, every user is affected. Highest pooled risk.
- P2P platforms with shared escrow (Haveno, RetoSwap, similar forks). Only in-flight trades are at risk during an exploit window, but every concurrent trade shares the same escrow logic. Medium pooled risk.
- Non-custodial swap services that route funds through without holding them. Each swap is an isolated pass-through; there is no shared pool to drain. Lowest pooled risk for the user, though each individual swap still depends on the service completing the route.
This is not a claim that one model is universally "better." P2P trading offers things a pass-through swap cannot — direct fiat ramps, user-set prices, dispute arbitration. The point is that the failure modes are different, and the RetoSwap drain illustrates the specific failure mode of pooled multisig escrow.
If you were affected
If you had an open trade on RetoSwap on 2026-05-20, your funds may be among those drained. RetoSwap has published an incident response page (retrieved 2026-05-20) asking affected users to file claims; recovery prospects are uncertain at the time of writing.
If you were planning to use RetoSwap or another Haveno fork for an XMR trade but had not started one yet, the conservative move is to wait for the patched Haveno build and a clean security review before re-engaging.
Where to swap XMR while the dust settles
If you need to move into or out of XMR in the next few days, the safest category — given the specific failure mode that just played out — is a non-custodial pass-through swap that does not pool user collateral in shared escrow.
| Property | RetoSwap / Haveno forks | Centralised exchange | GhostSwap |
|---|---|---|---|
| Custody model | 2-of-3 multisig escrow (pooled) | Exchange holds funds | Non-custodial pass-through (per-swap) |
| Account / KYC | Account required for some forks | KYC required | No account, no KYC |
| Failure mode if exploited | Multiple in-flight trades drained | All user funds at risk | Single in-flight swap at most |
| Typical completion | Hours to days (P2P matching) | Minutes (internal book) | Typically ~8 minutes (p50); up to ~30 minutes (p95) per GhostSwap product metrics |
| Status on 2026-05-21 | Paused / under review | Operating | Operating |
GhostSwap is a no-KYC crypto exchange. No account, no email, no signup required. Funds pass through non-custodially — we never hold them. The service supports 1,600 pairs across major L1 and L2 networks (product data fetched 2026-05-21), with floating-rate pricing from aggregated liquidity from leading crypto markets. Median swap completion is typically ~8 minutes at the p50, up to ~30 minutes at the p95, depending on chain congestion (per GhostSwap product metrics).
That's not a claim that GhostSwap is immune to all forms of failure — no swap service is. It is a description of the structural difference: each swap is an isolated pass-through with no shared escrow pool, so the specific class of exploit that drained RetoSwap does not apply.
How to swap into or out of XMR on GhostSwap
- Go to the swap widget at the GhostSwap homepage. No account creation step.
- Pick your pair. For BTC → XMR, see the BTC to XMR pair page for live rates and pair-specific notes. For other entries see the full pair list at ghostswap.io.
- Enter your XMR receiving address and a refund address. The refund address is where funds return if the swap cannot complete. Double-check both — Monero addresses are long and a single-character error means funds cannot be recovered.
- Send the input coin to the deposit address shown. GhostSwap detects the on-chain deposit and routes the swap through aggregated liquidity. Completion is typically ~8 minutes at the p50 and up to ~30 minutes at the p95 (per GhostSwap product metrics), depending on the source-chain confirmation time.
- XMR lands in your wallet. No withdrawal step, no account balance to manage.
For users coming from a Haveno or RetoSwap workflow, the main difference is that there is no counterparty to wait on and no arbitrator in the path — the swap is a direct route, not a matched trade.
FAQ
Q: Is Monero itself affected by the RetoSwap exploit?
A: No. Monero core developers confirmed on 2026-05-20 that the protocol, ring signatures, and the FCMP++ rollout are unaffected. The bug is in the Haveno trading-layer escrow logic, not in Monero.
Q: Will I get my funds back if I was on RetoSwap during the drain?
A: Unclear. RetoSwap has published an incident response page for affected users; recovery prospects depend on what can be traced and clawed back. Treat any recovery as uncertain until RetoSwap publishes specifics.
Q: How long does a typical GhostSwap XMR swap take?
A: Typically ~8 minutes at the p50, up to ~30 minutes at the p95 (per GhostSwap product metrics fetched 2026-05-21), depending on the source-chain confirmation time. BTC → XMR is bounded mostly by BTC confirmation; ETH → XMR and SOL → XMR are usually faster.
Q: Does GhostSwap require an account or KYC to swap XMR?
A: No. No account, no email, no identity verification. You supply a receiving address and an optional refund address; funds pass through non-custodially.
Closing
The RetoSwap drain is a reminder that the custody model matters more than the marketing. If you want to move XMR in the next few days without pooled-escrow risk, a non-custodial pass-through swap is the conservative choice — see live rates on the GhostSwap homepage or browse the BTC to XMR pair.
For more on what non-custodial actually means in practice, see our custodial vs non-custodial swap explainer.
