- Bancor just detected and fixed a flaw in the latest version of its Bancor Network smart contract.
- The flaw could have allowed anybody to drain the wallet of anybody else that invoked the contract.
- Warnings about this particular exploit have been floating around for almost three months now.
The team behind Bancor, a DeFi blockchain protocol designed to facilitate cross-chain cryptocurrency swaps, just resolved a potentially damaging bug in its latest smart contract update. A smart contract is a piece of code running on a blockchain.
The bug could have allowed hackers to drain the balance of any account that interacted with the latest version of the Bancor Network smart contract. The issue was so bad, it could have resulted in complete loss of funds to anybody that invoked the faulty version of the contract.
Luckily, a crisis was averted. Bancor, and two other anonymous agents, managed to extract $545,000 of vulnerable funds before any malicious hackers appeared.
We have reached out to Bancor and will update this article if we hear back.
Preventing the attack
The flaw was discovered by Bancor at midnight, which quickly warned its community about the issue, and deployed a new version of the smart contract that fixes the vulnerability.
"Last night at 12:00AM GMT, a vulnerability was discovered in a new version of the BancorNetwork v0.6 smart contract deployed on June 16 2020," Bancor posted on its official Telegram group.
As an immediate response to the issue, Bancor drained $410,000 worth of tokens from vulnerable wallets through a series of batched transactions.
According to a report by the popular decentralized exchange aggregator 1inch, a number of front-runners also began draining vulnerable wallets. One, which 1inch confirmed was a friendly actor, extracted around $132,000 in tokens, while another drained just north of $3,000. It is hoped that they will return the funds to the Bancor team.
"The bug was first exploited by the Bancor Network team to protect user funds from theft. Seconds later, automatic front-runners noticed high-profit transactions and joined the opportunity. During the night more than $500,000 of user funds were drained from user wallets by the Bancor team and two automatic front-runners,” Anton Bukov, CTO of 1inch, told Decrypt.
Last night, a vulnerability was discovered in a new version of the BancorNetwork v0.6 contract deployed on June 16 2020.
Any users who has traded with Bancor in the last 48hrs and given approvals to the Bancor contract, go to https://t.co/bCdpVtfPOC and revoke all approvals.
— Bancor (@Bancor) June 18, 2020
“Automatic front-runners provided emails for communication for such cases, and we believe they are likely to return stolen funds. It is still unsafe for victim-wallets to store tokens, they need first revoke ERC20 approvals using the method outlined by Bancor," he added.
So far, there is no indication that the exploit has been used by malicious actors to steal user funds.
Early warning signs
Bancor first detected and responded to the bug this morning, but early warning signs for this particular type of exploit have been floating around since March.
#BaDAPProve: 3 months ago we @ZenGo warned about it. Today it happened @Bancor.https://t.co/j52C0DFg9y
"if the DApp is vulnerable to a security issue attackers can abuse these highly excessive privileges to steal ALL of the DApp’s users holdings" https://t.co/nvyLbbZkS5 pic.twitter.com/5FFnRzsqI6
— Tal Be'ery (@TalBeerySec) June 18, 2020
According to Tal Be'ery, a security research manager and co-founder of ZenGo, his team warned about the risks of approval exploits—like the one suffered by Bancor—three months ago.
"In almost every DApp, when the user connects to it, they unknowingly provide the smart contract associated with the DApp, full access to all of their funds, regardless of their actual usage. Therefore, even if the user only actually sent a transaction equivalent to $1, an attacker abusing a smart contract vulnerability can withdraw all of the user’s holdings of that specific asset," wrote Alex Manuskin, in a report, on March 23.
Bancor is now advising users to check if they interacted with the faulty contract, and if so, perform a small conversion on Bancor.network to revoke all previous approvals to the old version of the smart contract. Full details on how to keep safe can be found in the official Bancor Telegram chat.
Earlier this year, $1 million was stolen in two DeFi exploits, and later on, hackers stole $25 million from another DeFi company. If there’s one thing DeFi needs, it’s better security and it needs it yesterday.