Bancor is an ICO token from 2017 that I mentioned in chapter 9 of the book. They sold $144 million of tokens in one day when the crypto bubble was in full swing, and clogged the Ethereum network to unusability.
Bancor has since developed into a DeFi (decentralised finance) platform — somewhere for traders to kill each other at ridiculous risk in a zero-sum battle to the death, with the promise of stupendous interest rates.
Last week, Bancor was going to be listed on Coinbase — with a huge pile of other zombie altcoins — and Michael Novogratz of Galaxy Digital was shilling Bancor. [Twitter]
This morning, Bancor was being drained by a hacker. [Twitter]
The security hole
Bancor lets a user approve Bancor to spend their tokens for them, so as to execute a convoluted DeFi transaction.
Version 0.6 of the Bancor smart contract, pushed 16 June, had an ill-authenticated safeTransferFrom() function — if the target has approved Bancor to spend their tokens, then a hacker can impersonate the Bancor contract to transfer the target’s assets to an arbitrary address. [Twitter]
Bancor say they conducted a white-hat attack on their own contract to move all user funds away. They’ve stated that all user funds are safe. [Twitter]
Current reports are that user funds were not all safe — such as $135,000 of Bancor that was transferred to non-Bancor addresses. 1inch found that an arbitrage bot was front-running Bancor’s “rescue” transactions. One such front-runner has said they will be returning the funds. [Twitter; Medium; Etherscan]
If you’re a user who approved Bancor, they strongly suggest that you go to their site and revoke your approval. [approved.zone]
The “S” in DeFi stands for “Secure”
Emin Gün Sirer called out Bancor’s blitheringly incompetent smart contract coding in detail in 2017. “20. Bancor reimplemented math.” [Hacking Distributed, 2017]
Sirer doesn’t bother much with ICO code these days — he has a real project, Ava — but I asked him at the time how ICO code compared to code from his undergraduate students, and he said it was worse.
Bancor was hacked for $23.5 million in tokens in 2018. They’d left an administrative back door open — and the attackers got in through that. [Business Insider, 2018; Twitter]
Bancor also runs a US dollar stablecoin backed by Bancor tokens — the USDB. Nomics rates it D for transparency, and the last listed price I saw was 87 cents. [Nomics]
Smart contract coding is hard. If you do it to this standard, you should expect to get hacked over and over. DeFi is especially risky for this — as everyone rushes to be first to the market.
Like all of DeFi, anyone who puts their money into this fully earns everything that happens to them.
Your subscriptions keep this site going. Sign up today!