$585 000 USD
DESCRIPTION OF EVENTS
"The Bancor Network is a cross-chain cryptocurrency conversion platform that lets you convert between Ethereum and EOS tokens (others are in the works) without the need of a middleman or other third party. Bancor Network Token (BNT) is the intermediary token used by Bancor to initiate exchanges. It’s both an ERC-20 token and EOS token."
"Bancor, an app focused on asset swaps and conducted one of the largest ICOs of 2017, self-hacked to fix a critical vulnerability." "[W]arnings about the new exploit had been floating around since Mar. 2020." "Bancor's Telegram group calls users to check their approvals for the flawed contracts and decline them."
"A contract does not need to be malicious to steal all your funds. It can be just be buggy. In this case, there as no authentication of the `from` address."
"According to the Bancor Network, the vulnerability was discovered last night at midnight, 00:00 UTC, in a new version of the BancorNetwork v0.6 contract, which was deployed just two days ago, on June 16. Since then, Bancor-controlled address drained nearly USD 460,000 worth of user funds at risk that should be returned to their owners."
"As a result of one of the system’s updates, users who interacted with the upgraded smart contract could lose their funds." "Bancor team may move the *current* funds to another wallet, but can't cancel the allowance. So whenever such an address would receive such a token again, it's money on the floor."
"$545,000 were at risk, but the Bancor team initiated a hack themselves to protect assets." "Looks like they are trying to white-hat drain user funds before someone else can, but it appears they are/were too late in many cases." "Any users who have traded with Bancor during the last 48 hours and granted approvals to the Bancor contract are encouraged to go to approved.zone and revoke all approvals, says the network. In case of help or questions, the protocol is redirecting its users to its Telegram group."
"Besides the team, however, other white-hat hackers managed to drain over $130,000. Bancor got lucky, as it could have been malicious actors."
"The protocol is planning for a major Bancor V2 release next month, and the incident will not affect its launch, Bancor's Head of Growth, Nathaniel Hindman, told Cryptonews." "Bancor’s BNT is one of the cryptocurrencies recently considered for listing at a major U.S.-based cryptocurrency exchange Coinbase."
An exploit existed in the Bancor smart contract caused by a missing authentication of the "from" address in a "safe" transfer function. The exploit was exposed in March of 2020. Finally, in June 2020, a white hat hacker exploited it, prompting Bancor to exploit the remaining funds themselves.
The white hat returned the funds, and Bancor disbursed all funds back to affected users.
HOW COULD THIS HAVE BEEN PREVENTED?
Users should not be granting unlimited approvals to any smart contract, or should use a separate wallet for each smart contract with only those funds they are actively using.
Smart contracts should have 2 security audits from independent services, and a third after 6 months of operation. An industry insurance fund should be established to assist users and compensate losses in the event of failure. During the early development stages, until the market is willing to underwrite the entire balance, the vast majority of funds should be stored offline in a multi-signature treasury wallet.
Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 21)
What Is Bancor Network Token? Introduction to BNT Token | Crypto Briefing (May 22)
Bancor Network Hack 2020 (May 26)
Bancor releases smart contract security hole, hacks self, only loses a few hundred thousand dollars of user funds – Attack of the 50 Foot Blockchain (May 26)
Bancor Discovers Security Vulnerability, Drains USD 460,000 Of User Funds (UPDATED) (May 27)
@davidgerard Twitter (May 27)
@defiprime Twitter (May 29)
DEX protocol Bancor suffered security vulnerability, migrated $455K worth of user funds (May 30)
Bancor Smart Contracts Vulnerability And Its Lessons (May 30)
Victim of Critical Vulnerability, Bancor decides to "self-hack" - Cryptocurrencies - Personal Financial (May 30)
What are the possible security risks of unlimited token authorization? • Blockcast.cc- News on Blockchain, DLT, Cryptocurrency (Jun 19)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 19)
SlowMist Hacked - SlowMist Zone (May 17)
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 22)
@amanusk_ Twitter (Jul 24)
baDAPProve: DeFi’s Security Issue Explained - ZenGo (Jul 24)
@amanusk_ Twitter (Jul 24)
@odedleiba Twitter (Jul 24)
@defiprime Twitter (Jul 24)
@Hex_Capital Twitter (Jul 24)
https://etherscan.io/address/0xc8021b971e69e60c5deede19528b33dcd52cdbd8 (Jul 24)
Badapprove Defis Open Secret Security Issue And How Zengo Solves It (Jul 24)