DEX protocol Bancor suffered security vulnerability, migrated $455K worth of user funds

Quick Take

  • DEX protocol Bancor suffered a security vulnerability yesterday, which could have put $455K worth of user funds at risk
  • But Bancor soon fixed the issue and saved the funds via a white-hack attack 
  • There was a bug in Bancor’s latest smart contracts

Decentralized exchange (DEX) protocol Bancor Network suffered a security vulnerability late Wednesday, which could have resulted in a loss of around $455,349 worth of user funds. But Bancor soon discovered the issue and migrated the funds to a safe wallet.

Specifically, there was a bug in Bancor’s latest smart contracts, which were deployed two days ago. Therefore, all users who interacted with the exchange protocol in the last 48 hours, were affected.

“Due to the recent vulnerability uncovered in v0.6 contracts, if you traded with Bancor contracts in the past 48h, go to https://approved.zone/ and revoke any approvals from the affected Bancor contract addresses,” said Bancor in its official Telegram channel late Wednesday.

The vulnerability was “critical,” Anton Bukov, CTO of DEX aggregator 1inch.exchange, told The Block. The smart contracts had a public method that allowed anyone to use “infinite approves” to steal user funds, said Bukov. Infinite approves is an ERC-20 feature that allows someone to capture tokens of another wallet.

Indeed, Bancor said in a detailed blog post earlier today that v0.6 contracts “mistakenly made a safeTransferFrom function in the BancorNetwork contract public.”

“Exchange smart contracts like Bancor’s use allowance to interact with user wallets. This is a common practice used by most DAPPs. But in this case, a private function that should have been restricted to the contract alone was made public. This essentially allowed anyone to transfer tokens which were approved only for the contract to transfer,” it added.

Bancor assured that no user funds are at risk from the vulnerability as it initiated a white-hat attack and migrated $455,349 worth of funds to a safe wallet.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

“A new network contract was then pushed to ensure that an error like this does not recur. Trading within the system is now back to normal,” it added.

While Bancor initiated the white-hat activity, two arbitrage bots detected the incoming transactions and front-run Bancor with profits of $135,229. Bancor said it is in contact with the owners of these bots and is working with them to return the amounts in exchange for a bug bounty.

Bukov told The Block that the two bots or automatic front-runners are [email protected] and [email protected]. It remains to be seen whether these bots return the funds to Bancor.

This is not the first time Bancor has suffered a vulnerability. In 2018, it was hacked and lost $13.5 million worth of funds, which were held in several converter contracts. It initially lost $23.5 million at the time, but around $10 million was saved, resulting in a net loss of $13.5 million.


Correction: Bancor told The Block it did not suffer a hack in 2019, as previously mentioned.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Yogita Khatri is a senior reporter at The Block, covering all things crypto. As one of the earliest team members, Yogita has played a pivotal role in breaking numerous stories, exclusives and scoops. With nearly 3,000 articles under her belt, Yogita holds the records as The Block's most-published and most-read author of all time. Prior to joining The Block, Yogita worked at crypto publication CoinDesk and The Economic Times, where she wrote on personal finance. To contact her, email: [email protected]. For her latest work, follow her on X @Yogita_Khatri5.