A popular decentralized exchange platform, Bancor, recently took to Twitter to announce that the platform fell victim to a security breach, giving further details about the apparent hack.
Bancor Sees $24 Million In Cryptos StolenOn July 9th at 8 AM (UTC), Bancor released a Tweet noting that its web service would be closed down for maintenance. This announcement, which came out of nowhere, got some users worried, as they wondered what had occurred.
A few hours later, another Tweet was issued bringing clarity to the situation, writing:
“This morning (CEST) Bancor experienced a security breach. No user wallets were compromised. To complete the investigation, we have moved to maintenance and will be releasing a more detailed report shortly. We look forward to being back online as soon as possible.”
According to details released in an update, a wallet used to update smart contracts was compromised by an unnamed attacker. The hacker or group of hackers were able to withdraw 24,984 ETH, along with two ERC-20 tokens, which are NXPS and the in-house BNT.
The total amount of funds stolen amounted to $24 million, but the update stressed that no user wallets were compromised.
Here is the latest update on the recent security breach: pic.twitter.com/JroypFvBri
— Bancor (@Bancor) July 9, 2018
Acting quickly, the team at the exchange utilized code in the BNT smart contract that allowed for them to freeze the stolen tokens. The update noted:
“Once the theft was identified, we were able to freeze the stolen BNT, limiting the damage to the Bancor ecosystem from the theft.”
Adding that this function was only meant to be used in “an extreme situation,” like the one seen just recently. The exchange was unable to take control of the ETH or NXPS tokens but the update made it clear that the platform is working with “dozens of cryptocurrency exchanges” to trace the stolen funds, and possibly identify the hacker(s).
Bancor has become one of the most prominent decentralized exchange (DEX) platforms in the industry, raising $153 million in an ICO last year. The exchange has consistently posted volume figures that mirror and even surpass other premier DEX platforms, allowing for its users to participate in a decentralized trading environment.
However, this seemingly devastating hack brings Bancor’s security protocols and systems into question. Emin Gun Sirer, a professor at Cornell University and co-director of the IC3 cryptocurrency initiative, criticized the operations security (op-sec) methods which Bancor utilized in their smart contract, writing:
“This looks like a straightforward case of bad opsec at Bancor, instead of a more worrisome flaw in their core contract.”
Sirer posted another Tweet in the same thread that pointed out that there were some aspects of central control written into the smart contract.
Of course, the Bancor contract should not have been centrally controllable to this degree. And the core contract should probably have had some rate limits built into it to avoid sudden drains like this.
— Emin Gün Sirer (@el33th4xor) July 9, 2018
Although it was mostly well-received that Bancor was able to mitigate damage by using a feature on its smart contract, others reminisced back to the DAO situation with Ethereum. Although the Ethereum/Ethereum Classic situation was under vastly different conditions, users still brought up the question, “Should a decentralized platform have emergency functions written in to mitigate the risk of hack attempts?”
A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts.