Decentralized Exchange Bancor Falls Victim to $24 Million Security Breach

A popular decentralized exchange platform, Bancor, recently took to Twitter to announce that the platform fell victim to a security breach, giving further details about the apparent hack.

Bancor Sees $24 Million In Cryptos Stolen

On July 9th at 8 AM (UTC), Bancor released a Tweet noting that its web service would be closed down for maintenance. This announcement, which came out of nowhere, got some users worried, as they wondered what had occurred.

A few hours later, another Tweet was issued bringing clarity to the situation, writing:

“This morning (CEST) Bancor experienced a security breach. No user wallets were compromised. To complete the investigation, we have moved to maintenance and will be releasing a more detailed report shortly. We look forward to being back online as soon as possible.”

According to details released in an update, a wallet used to update smart contracts was compromised by an unnamed attacker. The hacker or group of hackers were able to withdraw 24,984 ETH, along with two ERC-20 tokens, which are NXPS and the in-house BNT.

The total amount of funds stolen amounted to $24 million, but the update stressed that no user wallets were compromised.

Acting quickly, the team at the exchange utilized code in the BNT smart contract that allowed for them to freeze the stolen tokens. The update noted:

“Once the theft was identified, we were able to freeze the stolen BNT, limiting the damage to the Bancor ecosystem from the theft.”

Adding that this function was only meant to be used in “an extreme situation,” like the one seen just recently. The exchange was unable to take control of the ETH or NXPS tokens but the update made it clear that the platform is working with “dozens of cryptocurrency exchanges” to trace the stolen funds, and possibly identify the hacker(s).

Bancor has become one of the most prominent decentralized exchange (DEX) platforms in the industry, raising $153 million in an ICO last year. The exchange has consistently posted volume figures that mirror and even surpass other premier DEX platforms, allowing for its users to participate in a decentralized trading environment.

However, this seemingly devastating hack brings Bancor’s security protocols and systems into question. Emin Gun Sirer, a professor at Cornell University and co-director of the IC3 cryptocurrency initiative, criticized the operations security (op-sec) methods which Bancor utilized in their smart contract, writing:

“This looks like a straightforward case of bad opsec at Bancor, instead of a more worrisome flaw in their core contract.”

Sirer posted another Tweet in the same thread that pointed out that there were some aspects of central control written into the smart contract.

Although it was mostly well-received that Bancor was able to mitigate damage by using a feature on its smart contract, others reminisced back to the DAO situation with Ethereum. Although the Ethereum/Ethereum Classic situation was under vastly different conditions, users still brought up the question, “Should a decentralized platform have emergency functions written in to mitigate the risk of hack attempts?”

Charlie Lee went on Twitter to express his disbelief about the “false sense of decentralization” Bancor was pushing, as a true DEX should not be allowed to freeze user funds. The platform implied that it only had the best intentions, but the debate around this pressing topic will continue, especially as this situation unfolds further.

As of the time of press, BNT has fallen by 14% on the day, underperforming Bitcoin by 13%. But since its fall on the announcement of the hack, BNT has found a home at ~$2.65, holding at that level for the time being.

 

Image from Shutterstock

Source