How it works
Haveno is a desktop client written in Java that connects to a P2P exchange network entirely over Tor. Each trade is a 2-of-3 multisig contract on the Monero blockchain: the buyer holds one key, the seller holds another, and a network arbitrator holds the third. Two signatures release funds, so the arbitrator alone cannot move them.
Crypto pairs are XMR-base — XMR↔BTC, XMR↔ETH, plus a long tail of altcoins. Fiat trades use real-world rails: SEPA, Zelle, PayPal in some networks, cash by mail, or face-to-face meets. The flow is: maker posts an offer, taker accepts, both lock collateral into the multisig, the fiat or crypto-out leg settles off-platform, and once both parties sign off, the multisig releases.
Crucially, the official haveno-dex repository does not operate a mainnet network. The project explicitly does not endorse any instance. Third-party operators — running their own seed nodes and arbitrators — host the actual networks where real trades clear. Users pick which network to join.
KYC & privacy
Haveno is non-KYC by architecture. There is no signup, no account, no email, no phone number. The client speaks only over Tor; the protocol does not collect IP addresses by design. Trade peers exchange counterparty payment details — a SEPA IBAN, a cash-meet location — directly through the encrypted P2P layer, and that data lives on the two clients' machines.
The threat surface is the network operator and arbitrator. When a dispute is opened, the arbitrator sees the trade contract and the dispute log. They never see funds — multisig keeps custody on the traders — but they do see counterparty identifiers if the dispute escalates. Picking a reputable network instance matters as much as the protocol itself.
Strengths and limits
The custody model is the strongest point: funds stay in multisig until traders agree, or until two of three keys sign in dispute. Combined with Monero's base-layer privacy, an adversary who subpoenas a single network operator finds no cold wallet to seize and no KYC database to pull. The code is AGPL-3.0 on GitHub; v1.2.3 shipped in February 2026 and the project pushes regular releases.
The limits are real. There is no formal third-party security audit at the time of writing — the codebase is open, but no firm has signed off. Liquidity is offer-driven and uneven outside major fiat pairs. The desktop-only Java client is heavy and slow to onboard. And the third-party-network model means the actual trust level depends on which instance you join, not on the upstream project.
Verdict
For users who want fiat-to-XMR without surrendering identity, Haveno is one of the few architecturally honest options on the table. The third-party-network split keeps upstream maintainers out of regulatory crosshairs at the cost of pushing trust onto whichever instance you connect to.
For users who want fiat-to-XMR without surrendering identity, Haveno is one of the few architecturally honest options on the table. The third-party-network split keeps upstream maintainers out of regulatory crosshairs at the cost of pushing trust onto whichever instance you connect to. Grade: A (9.0/10). Trust: TRUSTED.
