The latest version of the Bancor’s decentralized exchange seems to be vulnerable to a very serious error that can lead to a significant loss of user funds.
According to the tweet published by Bancor on June 18, the vulnerability affects the latest version of BancorNetwork’s smart contract, which was launched on June 16.
Users who traded on the Bancor and gave a withdrawal approval to their smart contract are urged to revoke it through a dedicated website, approved.zone.
Next Bancor update will solve the “Little Secret of DeFi
The team revealed that after discovering the vulnerability, they „attacked the contract as a ‚white hack'“ to migrate at-risk funds to a safe place. Presumably, the team used the above-mentioned vulnerability to do so, meaning that an attacker could have drained a significant portion of the users‘ funds.
Hex Capital tweeted that the problem resulted from the possibility of calling a „safeTransferFrom“ without proper authorization. This feature is one of the key elements of the ERC-20 contract, as it allows a smart contract to withdraw a certain allocation without requiring user interaction.
Hex Capital speculated that the team arrived „too late in many cases“ to save the funds. However, according to research by the 1inch.exchange team, the blame lies with the front-runners.
The DForce hacker tries to negotiate after allegedly leaking his identity
Front-runners „steal“ some of the money
The 1inch.exchange team found at least two publicly known front-runners who started copying transactions from the Bancor team as soon as they started. The front-running bots were set up to take advantage of arbitrage opportunities, and „could not distinguish the arbitrage opportunity from the hack,“ the team wrote.
However, all the front-runners who joined have publicly listed their contact information, which should mean they would be willing to pay back the money. One of them has already promised to return the money. However, the portion that went to the front-runners was significant, the 1inch team wrote:
„The Bancor team salvaged USD 409,656 in total and spent 3.94 ETH for gas, while the automatic bots captured USD 135,229 and spent 1.92 ETH for gas. Users were charged a total of USD 544,885.
Ethereum’s second-layer solutions lack real-world usability, according to Skale’s CTO
The audits were not helpful
In response to the incident, some community members began to question whether the Bancor conducted audits on the new smart contracts. In the announcement of the new version 0.6, Bancor noted that „a security audit was underway“.
While no further information was available, anonymous researcher Frank Topbottom reported a finding from his GitHub repository, which mentioned a security audit conducted by Kanso Labs. The company appears to be based in Tel Aviv, where most of the Bancor team is also located.
The Bancor team told Cointelegraph that the vulnerability was discovered by an outside developer shortly after the release, similar to how it would work with bug rewards.
As Cointelegraph reported earlier, audits are rarely sufficient to ensure security.