Bancor Discovers Critical Vulnerability, Hacks Itself to Prevent Theft

Published at: June 18, 2020

The newest release of the Bancor decentralized exchange appears to be vulnerable to a very serious bug that can result in a significant loss of user funds.

According to the tweet posted by Bancor on June 18, the vulnerability affects the latest version of the BancorNetwork smart contract, which was launched on June 16.

Users who traded on Bancor and gave a withdrawal approval to its smart contract are urged to revoke it through a specialized website, approved.zone.

The team revealed that after discovering the vulnerability, they “attacked the contract as a white-hack” to migrate funds at risk to a secure location. Presumably, the team used the aforementioned vulnerability to do so, meaning that an attacker could have drained a significant portion of user funds.

Hex Capital tweeted that the issue resulted from the possibility of calling a “safeTransferFrom” without the proper authorization. This function is one of the key elements of the ERC-20 contract, as it allows a smart contract to withdraw a certain allowance without requiring user interaction.

Hex Capital speculated that the team was “too late in many cases” to save funds. However, according to an investigation by the 1inch.exchange team, this is to blame on front-runners.

Front-runners “steal” some of the money

The 1inch.exchange team found at least two publicly known front-runners that began copying the Bancor’s team transactions as soon as they began. The front-running bots were set up to take advantage of arbitrage opportunities, and were “not able to distinguish arbitrage opportunity from hacking,” the team wrote.

However, all of the front-runners who joined have publicly listed contact information, which should mean that they would be willing to return the money. One of the front-runners already pledged to return the money. The portion that went to the front-runners is significant though, with the 1inch team writing:

“The Bancor team rescued $409,656 in total and spent 3.94 ETH for gas, while automatic front-runners captured $135,229 and spent 1.92 ETH for gas. Users were charged for $544,885 in total.”

Audits were of no help

In response to the incident, some community members began questioning whether Bancor conducted audits on the new smart contracts. In the announcement for the new 0.6 version, Bancor noted that a “security audit was underway.”

While no more information was available, anonymous researcher Frank Topbottom reported a finding from its GitHub repository, which mentioned a security audit by Kanso Labs. The company appears to be based in Tel Aviv, where most of the Bancor team is located as well.

The Bancor team told Cointelegraph that the vulnerability was discovered by a third-party developer soon after launch, similar to how it would work with bug bounties.

As Cointelegraph previously reported, audits are rarely enough to ensure security.

Tags
Related Posts
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
A crypto New Year’s resolution: Modernize security infrastructure
It’s safe to say that 2020 has been a banner year for the digital-asset space. Bitcoin (BTC) soared past its previous high, and many other prominent cryptocurrencies reached their highest levels since the heyday of 2017 and early 2018. Across the financial services industry, institutional voices are expressing reinvigorated interest in digital assets. The growth and maturation of this space has been impossible to ignore, engendering plenty of optimism among those who build the platforms and systems on which it runs. Unfortunately, not all the headlines from the past year have been positive. Several well-known crypto exchanges and other organizations …
Technology / Dec. 31, 2020
Binance will ‘do what they can’ to help recover funds stolen in yesterday’s $5M Eterbase hack
Eterbase, a Slovakia-based crypto exchange, was recently the victim of a $5M hack. According to an update from Eterbase, some of these funds appear to have ended up on a number of popular exchanges, including Binance, Huobi Global, and HitBTC. Binance CEO's Changpeng Zhao, or CZ, seemed to support efforts to stop the circulation of these stolen funds, replying: “Our security team was on this quite early. Will do what we can to assist.” Through Telegram, Eterbase also published a list of the hot wallets compromised by the hack. These included Bitcoin (BTC), Ehereum (ETH), Tron (TRX), Tezos (XTZ), Algorand …
Technology / Sept. 10, 2020
Kraken Discovers Potential Attacks Against Ledger Wallets, User Funds Unaffected
Kraken Security Labs, the cybersecurity division of US-based cryptocurrency exchange Kraken, has identified new potential attacks against popular hardware wallet Ledger. These attacks can affect Ledger Nano X wallets if they execute prior to the user receiving the wallet, if a wallet was intercepted during shipment or obtained from a malicious reseller, Kraken noted. This leaves the attackers theoretically capable of controlling computers connected to Ledger wallets and running malware on them. Thankfully it stayed theoretical — the issue was repaired. Had the matter gone unaddressed, then we’d start hearing about “Bad Ledger attacks” and “Blind Ledger attacks.” The first …
Technology / July 8, 2020
Years-Old Cybersecurity Vulnerably Exposed in Blockfolio
This article is no longer available, as it did not meet Cointelegraph's editorial standards. We apologize for the inconvenience.
Technology / June 6, 2020