- A Bancor hack has seen some $545,000 in user funds lost
- Bancor hacked itself to protect further losses following protocol upgrade
- Bancor lost $23.5 million worth of tokens in a 2018 hack
Bancor has suffered a second security vulnerability in as many years and may have lost around $545,000 in user funds. The cryptocurrency liquidity provider reported that a vulnerability in its new protocol allowed hackers to gain access to user wallets, with users already reporting that they have lost thousands of BNT tokens. In 2018, the protocol suffered a huge hack that saw $23.5 million worth of token stolen from the platform.
Bancor Hack Due to Bug in New Protocol
News of the Bancor hack emerged yesterday when the team tweeted that a vulnerability had been discovered after the deployment of the BancorNetwork v0.6 contract the day before:
Last night, a vulnerability was discovered in a new version of the BancorNetwork v0.6 contract deployed on June 16 2020.
Any users who has traded with Bancor in the last 48hrs and given approvals to the Bancor contract, go to https://t.co/bCdpVtfPOC and revoke all approvals.
— Bancor (@Bancor) June 18, 2020
The team acted quickly once the vulnerability was discovered, conducting a self-hack in order to migrate at-risk funds into other wallets and minimize the damage. It is known that some user funds were lost but the intervention by the team certainly limited the damage, with decentralized exchange aggregators 1inch calculating the figures:
…the Bancor team spent 3.94 ETH to rescue $410,194 of user funds, and the automatic front-runners spent 1.92 ETH to grab $135,229 of user funds. User wallets were drained for $545,423 in total.
Indeed, it didn’t take long for users to report missing funds:
I have lost more than 10,000 BNT,
How did it back to my account?
— moremore (@moremor91798033) June 18, 2020
Infinite Approvals of ERC20 Token Swaps
The vulnerability in the upgrade led to Bancor users who conducted a direct swap of their ERC20 tokens soon after the upgrade deployment making infinite approvals of their tokens. The smart contracts also had a public method which allowed anyone to use these approvals to steal user funds, which they clearly did. It is still unsafe for users to hold tokens in the wallets before they cancel their infinite approvals, and Bancor has provided instructions on how to do this.
This Bancor hack is the second the network has suffered in two years, although thankfully this hack was to a far lesser degree than 2018’s hack, which saw $23.5 million worth of cryptocurrency tokens stolen.