{"id":16571,"date":"2020-06-18T17:03:42","date_gmt":"2020-06-18T17:03:42","guid":{"rendered":"https:\/\/davidgerard.co.uk\/blockchain\/?p=16571"},"modified":"2020-10-02T10:58:23","modified_gmt":"2020-10-02T10:58:23","slug":"bancor-releases-smart-contract-security-hole-hacks-self-only-loses-a-few-hundred-thousand-dollars-of-user-funds","status":"publish","type":"post","link":"https:\/\/davidgerard.co.uk\/blockchain\/2020\/06\/18\/bancor-releases-smart-contract-security-hole-hacks-self-only-loses-a-few-hundred-thousand-dollars-of-user-funds\/","title":{"rendered":"Bancor releases smart contract security hole, hacks self, only loses a few hundred thousand dollars of user funds"},"content":{"rendered":"

Bancor is an ICO token from 2017 that I mentioned<\/a> in chapter 9 of the book.<\/a> They sold $144 million of tokens in one day when the crypto bubble was in full swing, and clogged the Ethereum network to unusability.<\/p>\n

Bancor has since developed into a DeFi (decentralised finance) platform \u2014 somewhere for traders to kill each other at ridiculous risk in a zero-sum battle to the death,<\/a> with the promise of stupendous interest rates.<\/p>\n

Last week, Bancor was going to be listed on Coinbase<\/a> \u2014 with a huge pile of other zombie altcoins \u2014 and Michael Novogratz of Galaxy Digital was shilling Bancor. [Twitter<\/i><\/a>]<\/p>\n

This morning, Bancor was being drained by a hacker. [Twitter<\/i><\/a>]<\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

The security hole<\/h3>\n

Bancor lets a user approve Bancor to spend their tokens for them, so as to execute a convoluted DeFi transaction.<\/p>\n

Version 0.6 of the Bancor smart contract, pushed 16 June, had an ill-authenticated safeTransferFrom()<\/code> function \u2014 if the target has approved Bancor to spend their tokens, then a hacker can impersonate the Bancor contract to transfer the target’s assets to an arbitrary address. [Twitter<\/i><\/a>]<\/p>\n

Bancor say they conducted a white-hat attack on their own contract to move all user funds away. They’ve stated that all user funds are safe. [Twitter<\/i><\/a>]<\/p>\n

Current reports are that user funds were not<\/i> all safe \u2014 such as $135,000 of Bancor that was transferred to non-Bancor addresses. 1inch found that an arbitrage bot was front-running Bancor’s “rescue” transactions. One such front-runner has said they will be returning the funds. [Twitter<\/i><\/a>; <\/i>Medium<\/i><\/a>; <\/i>Etherscan<\/i><\/a>]<\/p>\n

If you’re a user who approved Bancor, they strongly suggest that you go to their site and revoke your approval. [approved.zone<\/i><\/a>]<\/p>\n

The “S” in DeFi stands for “Secure”<\/h3>\n

Emin G\u00fcn Sirer called out Bancor’s blitheringly incompetent smart contract coding in detail in 2017. “20. Bancor reimplemented math.” [Hacking Distributed<\/i><\/a>, 2017<\/i>]<\/p>\n

Sirer doesn’t bother much with ICO code these days \u2014 he has a real project, Ava \u2014 but I asked him at the time how ICO code compared to code from his undergraduate students, and he said it was worse.<\/p>\n

Bancor was hacked for $23.5 million in tokens in 2018. They’d left an administrative back door open \u2014 and the attackers got in through that. [Business Insider<\/a>, 2018; Twitter<\/a><\/em>]<\/p>\n

Bancor also runs a US dollar stablecoin backed by Bancor tokens \u2014 the USDB. Nomics rates it D for transparency, and the last listed price I saw was 87 cents. [Nomics<\/i><\/a>]<\/p>\n

Smart contract coding is hard.<\/em> If you do it to this standard, you should expect to get hacked over and over. DeFi is especially risky for this<\/a>\u00a0\u2014 as everyone rushes to be first to the market.<\/p>\n

Like all of DeFi, anyone who puts their money into this fully earns everything that happens to them.<\/p>\n

\"Become<\/a>

Your subscriptions keep this site going. Sign up today!<\/a><\/i><\/p><\/div>","protected":false},"excerpt":{"rendered":"

“20. Bancor reimplemented math.”<\/p>\n","protected":false},"author":1,"featured_media":17469,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[147,1552,215,9,83],"class_list":["post-16571","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised","tag-bancor","tag-defi","tag-emin-gun-sirer","tag-ico","tag-smart-contract"],"jetpack_featured_media_url":"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2020\/06\/bancor-bnt-logo-header.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/16571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/comments?post=16571"}],"version-history":[{"count":16,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/16571\/revisions"}],"predecessor-version":[{"id":17468,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/16571\/revisions\/17468"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/media\/17469"}],"wp:attachment":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/media?parent=16571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/categories?post=16571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/tags?post=16571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}