The newest release of the Bancor decentralized exchange appears to be vulnerable to a very serious bug that can result in a significant loss of user funds.
According to the tweet posted by Bancor on June 18, the vulnerability affects the latest version of the BancorNetwork smart contract, which was launched on June 16.
Users who traded on Bancor and gave a withdrawal approval to its smart contract are urged to revoke it through a specialized website, approved.zone.
The team revealed that after discovering the vulnerability, they “attacked the contract as a white-hack” to migrate funds at risk to a secure location. Presumably, the team used the aforementioned vulnerability to do so, meaning that an attacker could have drained a significant portion of user funds.
Hex Capital tweeted that the issue resulted from the possibility of calling a “safeTransferFrom” without the proper authorization. This function is one of the key elements of the ERC-20 contract, as it allows a smart contract to withdraw a certain allowance without requiring user interaction.
Hex Capital speculated that the team was “too late in many cases” to save funds. However, according to an investigation by the 1inch.exchange team, this is to blame on front-runners.
Front-runners “steal” some of the money
The 1inch.exchange team found at least two publicly known front-runners that began copying the Bancor’s team transactions as soon as they began. The front-running bots were set up to take advantage of arbitrage opportunities, and were “not able to distinguish arbitrage opportunity from hacking,” the team wrote.
However, all of the front-runners who joined have publicly listed contact information, which should mean that they would be willing to return the money. One of the front-runners already pledged to return the money. The portion that went to the front-runners is significant though, with the 1inch team writing:
“The Bancor team rescued $409,656 in total and spent 3.94 ETH for gas, while automatic front-runners captured $135,229 and spent 1.92 ETH for gas. Users were charged for $544,885 in total.”
Audits were of no help
In response to the incident, some community members began questioning whether Bancor conducted audits on the new smart contracts. In the announcement for the new 0.6 version, Bancor noted that a “security audit was underway.”
While no more information was available, anonymous researcher Frank Topbottom reported a finding from its GitHub repository, which mentioned a security audit by Kanso Labs. The company appears to be based in Tel Aviv, where most of the Bancor team is located as well.
The Bancor team told Cointelegraph that the vulnerability was discovered by a third-party developer soon after launch, similar to how it would work with bug bounties.
As Cointelegraph previously reported, audits are rarely enough to ensure security.