Bancor, an on-chain liquidity protocol for Ethereum and other blockchains, has discovered a security vulnerability. The team informs that upon discovery it has used a white-hack attack to migrate all funds at risk to safety, and all user funds are secure. Trading within the system is now back to normal. (Updated at 14:30 UTC, with the comments from Bancor’s team).
According to the Bancor Network, the vulnerability was discovered last night at midnight, 00:00 UTC, in a new version of the BancorNetwork v0.6 contract, which was deployed just two days ago, on June 16. Since then, Bancor-controlled address drained nearly USD 460,000 worth of user funds at risk that should be returned to their owners.
Any users who have traded with Bancor during the last 48 hours and granted approvals to the Bancor contract are encouraged to go to approved.zone and revoke all approvals, says the network. In case of help or questions, the protocol is redirecting its users to its Telegram group.
The situation was initially reported by Hex Capital. Another Twitter user, defiprime, has now confirmed that the smart contract was audited, redeployed, and all user funds are safe.
Confirmed with the team:
✅A security vulnerability was discovered in the new BancorNetwork v0.6 contract pushed two days ago
✅After discovering the vulnerability we performed a white-hat attack to migrate funds to safety
✅smart contract was audited
✅USER FUNDS ARE SAFU
— defiprime (@defiprime) June 18, 2020
The project’s team also posted an update concerning the incident in the Bancor blog. "After learning of the vulnerability and with funds at risk, our team initiated a white-hat attack using that same vulnerability in order to migrate $455,349 of funds at risk to a safe wallet. A new network contract was then pushed to ensure that an error like this does not recur," wrote Bancor CTO Yudi Levi.
Meanwhile, there was a drop in the price of the network’s native cryptocurrency BNT. It lost approximately 8% of its value in the last 24 hours, going from USD 0.84 to 0.77 at pixel time (14:20 UTC).
The protocol is planning for a major Bancor V2 release next month, and the incident will not affect its launch, Bancor’s Head of Growth, Nathaniel Hindman, told Cryptonews.
The upcoming Bancor V2 contracts are undergoing rigorous security audits, including audits by Consensys Due Diligence. We do not expect this incident to delay the target release date next month," he added.
Furthermore, Bancor’s BNT is one of the cryptocurrencies recently considered for listing at a major U.S.-based cryptocurrency exchange Coinbase.
The incident has once again prompted harsh comments for the decentralized finance (DeFi) critics, as it is not the first DeFi security incident this year. Earlier in February, an attacker has successfully drained USD 142 million and USD 320,000 in a series of attacks involving flash loans. In April, a decentralized finance protocol Lendf.Me also almost lost USD 25.2 million, which were later returned back by the hacker.
Here are the full instructions for potentially affected Bancor users:
Who ever used @Bancor directly and gave approvals, go to https://t.co/dFKBmjerYf (our project) and revoke it! DeFi needs more security audits!!!#DeFi https://t.co/Ym0hAPGsHk
— 1inch.exchange (@1inchExchange) June 18, 2020
Another day, another DeFi script kiddie flaw.
Today it’s with @Bancor. pic.twitter.com/AHeHEsMj7a
— Dan Held (@danheld) June 18, 2020
Last week @coinbase announced they’re considering adding support for Bancor.
This week hackers are exploiting a vulnerability in Bancor to steal funds from users.
— Stephen Cole (@sthenc) June 18, 2020
Apparently, @Bancor is being drained by both black and white hats.
I'm guessing most of what was in there was illiquid imaginary assets anyway? pic.twitter.com/a9vSarsSIV
— John Carvalho (@BitcoinErrorLog) June 18, 2020