Up to $23.5 million in cryptocurrency lost in Bancor Network hack

Posted: 10 July 2018 12:11 pm
shutterstock hacker hacking 450x250
{"theme":"dark","direction":"horizontal","showArrows":true,"splitTitle":true,"playerOptions":{"captions":true,"popupOnScroll":true,"subscribe":{"title":"Subscribe","url":"https://www.youtube.com/channel/UCKvc0WUB65GCvOTgPVJ9yRA?sub_confirmation=1","visibleOnMain":true,"visibleOnPopup":true}},"active":{"index":0,"start":71,"end":null,"thumb":"https://dvh1deh6tagwk.cloudfront.net/finder-au/wp-uploads/2018/07/bancor.jpg","thumbAnimation":"kenburns-top-right","heading":{"small":"WATCH","large":"Bancor and MyEtherWallet hacks"}},"yt":{"method":"videos","params":{"id":"UrmA7HlyX8I,-F-Rh1Nauf8,fPr6BBAq7kQ,O8ECWgzMwsE,OG2mqTMsq7o"}},"banner":true}

The network froze funds to minimise the damage, which is a whole new problem.

At about midnight UTC on 9 July, the Bancor Network was hacked, and attackers made off with about 25,000 ETH (Ethereum) worth around US$12.5 million, 230 million NPXS (Pundi X) worth around $1 million and 3.2 million (BNT) Bancor worth around $10 million.

A wallet that was being used to upgrade some smart contracts was compromised, which is how the attackers got in.

"From the fact that Bancor claims a wallet was hacked and then was able to steal from a smart contract [suggests that the attack] exploits a weakness that has always existed with their smart contracts," says Yo Kwon, CEO and founder of the Hosho cybersecurity firm. "That weakness is how far-reaching a single wallet has been allowed to be. Their smart contracts allow for nearly unlimited control to the owners and apparently their ability to protect their wallets is inadequate."

"Any large source of funds or access to powerful smart contracts should at the minimum be using multi-signature verification."

The aftermath

After the attack, the Bancor network went down and halted trading as a precaution. The stolen BNT was frozen, but the NPXS and ETH can't be frozen. Instead, Bancor is "working together with dozens of cryptocurrency exchanges" to make it more difficult for the hackers to liquidate the funds.

No user wallets were affected, and no funds were stolen except from the Bancor Network itself.

The implications

Shortly before the attack, Bancor voiced its support for "decentralised solutions such as Bancor" on Twitter.

That Tweet didn't age well. Firstly the Bancor network went down, which is the number one thing no decentralised system should ever do. On top of that, the central Bancor authority used its executive powers to freeze the stolen BNT, and then appealed to centralised exchanges for help preventing the other funds from disappearing.

The whole point of decentralised solutions "such as Bancor" is that they can never go down, are much better protected against hackers and that no central authority has the ability to do things like freeze funds. Regardless of how the hack may have happened, or whether the ability to freeze funds at will turned out to be advantageous in this case, the point remains that Bancor is not actually decentralised.

Talk is cheap, but walking the hard road to decentralisation is an entirely different level of commitment.

Rocky road

The road to decentralisation is extraordinarily expensive and difficult. It means deliberately building systems to prevent being able to freeze or recover funds like this, and means simply letting go of endless hundreds of millions of dollars worth of tokens over the years, lost to hidden vulnerabilities and coding errors, random bugs and hack attacks like this.

It's pretty steep, but that's just the price of admission and any protocol that's not willing to pay it will never be truly decentralised.

Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, NANO

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

    Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site