Bancor releases smart contract security hole, hacks self, only loses a few hundred thousand dollars of user funds

Bancor is an ICO token from 2017 that I mentioned in chapter 9 of the book. They sold $144 million of tokens in one day when the crypto bubble was in full swing, and clogged the Ethereum network to unusability.

Bancor has since developed into a DeFi (decentralised finance) platform — somewhere for traders to kill each other at ridiculous risk in a zero-sum battle to the death, with the promise of stupendous interest rates.

Last week, Bancor was going to be listed on Coinbase — with a huge pile of other zombie altcoins — and Michael Novogratz of Galaxy Digital was shilling Bancor. [Twitter]

This morning, Bancor was being drained by a hacker. [Twitter]



The security hole

Bancor lets a user approve Bancor to spend their tokens for them, so as to execute a convoluted DeFi transaction.

Version 0.6 of the Bancor smart contract, pushed 16 June, had an ill-authenticated safeTransferFrom() function — if the target has approved Bancor to spend their tokens, then a hacker can impersonate the Bancor contract to transfer the target’s assets to an arbitrary address. [Twitter]

Bancor say they conducted a white-hat attack on their own contract to move all user funds away. They’ve stated that all user funds are safe. [Twitter]

Current reports are that user funds were not all safe — such as $135,000 of Bancor that was transferred to non-Bancor addresses. 1inch found that an arbitrage bot was front-running Bancor’s “rescue” transactions. One such front-runner has said they will be returning the funds. [Twitter; Medium; Etherscan]

If you’re a user who approved Bancor, they strongly suggest that you go to their site and revoke your approval. []

The “S” in DeFi stands for “Secure”

Emin Gün Sirer called out Bancor’s blitheringly incompetent smart contract coding in detail in 2017. “20. Bancor reimplemented math.” [Hacking Distributed, 2017]

Sirer doesn’t bother much with ICO code these days — he has a real project, Ava — but I asked him at the time how ICO code compared to code from his undergraduate students, and he said it was worse.

Bancor was hacked for $23.5 million in tokens in 2018. They’d left an administrative back door open — and the attackers got in through that. [Business Insider, 2018; Twitter]

Bancor also runs a US dollar stablecoin backed by Bancor tokens — the USDB. Nomics rates it D for transparency, and the last listed price I saw was 87 cents. [Nomics]

Smart contract coding is hard. If you do it to this standard, you should expect to get hacked over and over. DeFi is especially risky for this — as everyone rushes to be first to the market.

Like all of DeFi, anyone who puts their money into this fully earns everything that happens to them.

Become a Patron!

Your subscriptions keep this site going. Sign up today!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.