Bancor Breach Exposes Latest DeFi Exploit

According to a tweet by on-chain liquidity platform Bancor [@Bancor], in the early hours of June 18, a vulnerability was discovered in the latest version of the network’s smart contracts:

Last night at 12:00AM GMT, a vulnerability was discovered in a new version of the BancorNetwork v0.6 smart contract deployed on June 16 2020. All user funds are safe.

The platform added that it has deployed a new version of the BancorNetwork contract that fixes the vulnerability. There were no further updates on the platform website or twitter feed at the time of press, however, a message on the Bancor Telegram group reassured users that all funds were safe. Hex Capital [@Hex_Capital] delved into the mystery and discovered a target address that a substantial amount of user funds may have been diverted into,

Looks like a bancor-controlled address drained $460k of at-risk user funds to [address]. What is the plan for returning that, and how much user funds were lost to attackers?

Business director at Kraken, Dan Held [@danheld], was quick to stick the digital knife in, tweeting ‘Another day, another DeFi script kiddie flaw.’ While industry observer and investor, Stephen Cole [@sthenc], added;

Last week coinbase announced they’re considering adding support for Bancor. This week hackers are exploiting a vulnerability in Bancor to steal funds from users.

DeFi Funds Drained?

According to Defi Pulse, the total value locked in USD on the Bancor platform has slumped from $19 million to $14.5 million over the past two days, but it remains to be seen if this is related to the digital incursion.

Users may have gotten jittery over the breach and are possibly withdrawing funds from the platform, fearing further exploits. The decline is not in line with the rest of the DeFi market which has actually increased by $50 million over the past 24 hours. The DeFi analytics website reports that Bancor is the ninth-most popular platform in the industry which had a total value lockup of around $20 million over the previous weekend. Industry analysis provider Defiprime [@defiprime] updated the situation stating that a white-hat attack to migrate funds to safety was performed after the discovery of the vulnerability. It added that the smart contract was audited and confirmed that user funds are safe. Hex Capital disputed that claim highlighting another spurious transaction, adding;

Not all user funds were migrated safely. See this tx by a non-Bancor controlled address draining nearly $100k of user funds in BNT

Bancor Smart Contract Upgrade

While details are thin on the ground at the moment, the vulnerability appears to have stemmed from a recent upgrade to Bancor’s smart contracts. In preparation for an upcoming release of Bancor V2, the platform introduced a protocol upgrade to version 0.6 for its smart contracts on Ethereum. In an announcement in late May, Bancor highlighted the changes to its protocol which included a major reduction of 30% on average to gas costs, a new liquidity pool creation process, a new software development kit (SDK), and a simplified smart contract interface. Bancor launched the web interface for its decentralized exchange in October 2017 following a record-breaking ICO in June the same year. It has a native token called Bancor Network Token (BNT), which serves as a ‘Smart Token hub’ connecting all other tokens on the Bancor Network. The platform employs an algorithmic market-making mechanism through the use of these ‘Smart Tokens,’ which ensures liquidity and accurate prices by maintaining a fixed ratio to connected tokens such as ETH. At the time of press, BNT had slumped 10% on the day.

Previous DeFi Exploits

This latest exploit is not the first for the budding DeFi industry, and it will most likely not be the last. However, that did not prevent the specter of crypto-tribalism rearing its ugly head once again. In April this year, the Chinese DeFi lending platform lendf.me had to hit the pause button when $25 million was pilfered from one of its smart contracts. A vulnerability in the ERC-777 token standard led to the exploitation and the loss of funds. Earlier in the year, the bZx DeFi protocol saw just under $1 million stolen in what was labeled an ‘oracle manipulation attack.’ Two separate attacks enabled a hacker to carry out a ‘flash loan,’ exploiting the platform with a smart contract that borrows funds with no collateral and pays them back in the same transaction. There will always be detractors to new technology and systems, and those who prefer to focus on its weaknesses as opposed to working on making it stronger and more resilient to such exploits. As the DeFi ecosystem evolves, these ‘teething problems’ will be ironed out, and new ‘smarter’ platforms will emerge. If anything, these exploits battle-harden DeFi and foster innovation and evolution. This year has been a testament to DeFi growth and the demand for the Ethereum that powers it. A few bumps in the digital road to a decentralized financial future are to be expected.