Home » Journal » [UPDATED] Bancor [BNT] suffers a security breach; was Emin Gün Sirer right about this project?

Journal

[UPDATED] Bancor [BNT] suffers a security breach; was Emin Gün Sirer right about this project?

Dobrica Blagojevic

July 9, 2018

3 comments

While the rest of the market is holding tight for now and waiting for Bitcoin to make its next move, Bancor has decided to trip itself up and fall face down through the floor. On the morning of July 9^th, the official Bancor account tweeted out the following news:

“Bancor Web App is currently down for maintenance.”

Soon after, an update to the situation was posted:

“This morning (CEST) Bancor experienced a security breach. No user wallets were compromised. To complete the investigation, we have moved to maintenance and will be releasing a more detailed report shortly. We look forward to being back online as soon as possible.”

The price immediately took a dive and plunged more than 20% in a matter of hours. Traded at near monthly highs of $3.24 USD on Sunday, the coin managed to drop all the way down to $2.51 USD after the news of the security issue broke.

Soon after, additional updates started popping up on social media. A reddit user metalmusen posted the following:

“25k ETH made it out from Bancor contracts and ended up here: https://etherscan.io/address/0x8ddfdf60aaffe05c623ba193a186abd1f8024946. And 2.5 million BNT, which earlier was in an address together with the 25k ETH (https://etherscan.io/address/0x5337a05cc6bcc36b9e70a4b2f81d4c7287aa742e), got destroyed/burned through the ‘destroy’ function, as can be seen here: https://etherscan.io/tx/0xf9c27cd018781d53ce1208dfd0eb5293bd679af6ffd26be5bf8fdb9c4d8f0491. The destroy function got called by the ‘Owner’ address of the Bancor Contract (https://etherscan.io/address/0x1f573d6fb3f13d689ff844b4ce37794d79a7ff1c#readContract)”

At the same time, a twitter user @camilleblanc asked:
“Would be interested in knowing why did you move all $NPXS out of the converter contract to a static address,” to which oskar9806 responded:

“I don’t think it was them. A bunch of ETH and BNT was also moved out from Bancor contracts to static addresses. 2.5 million BNT that got moved out later got destroyed. https://etherscan.io/tx/0xf9c27cd018781d53ce1208dfd0eb5293bd679af6ffd26be5bf8fdb9c4d8f0491 …”

As of now, nothing further has been revealed about the security breach. This isn’t the first controversy that the coin has gotten itself into. If you recall, Bancor was previously called out  in a lengthy deconstruction of the project’s code and ideas by Emin Gün Sirer, a famous crypto analyst and writer for hackingdistributed.com.

He notably claims that the project is vulnerable to “front running” attacks, where a miner, upon seeing that someone is submitting an order to buy from Bancor, would squeeze his own buy order ahead of the user’s. He would thus always get a rate from the Bancor market maker that is better than what the user gets. His final verdict says:

“The Bancor code falls short of the narrative used to sell the code. Blindly making markets using a strategy that has no proof or reasoning for why it’s good is a flawed idea. Additional problems, such as front-running, potential reentrancy issues, poor code quality, lack of testing and the general unnecessity of inventing a new currency, give us pause.”

The project responded to his accusations with a strong dispute of his claims in an even longer article that you can read here. We will have to wait and see for the Bancor’s official response to their latest mishap to determine if anything Mr. Gün Sirer exposed about the project actually came back to haunt them or if the breach was caused by something else.

Update:

Bancor have finally came out with an update on the security breach, confirming that one of the wallets that was being used to upgrade smart contracts got compromised. Using this wallet, the hacker stole 24,984 ETH ($12,5 million), 229,356,645 NPXS ($1 million) and 3,200,000 BNT ($10 million). The stolen funds were frozen and the team is working on a way to bring them back. Check out the team’s Twitter/Telegram accounts for further updates as they will be posted there.