• United States



Hackers steal $23.5M in cryptocurrency from ‘decentralized’ crypto exchange Bancor

Jul 11, 20184 mins

Attackers used a compromised wallet to steal $12.5 million of ether, $1 million of Pundi X, and $10 million of Bancor Network Tokens (BNT). Bancor froze the $10 million BNT, kicking off a debate about whether it is actually a decentralized service.

abstract FinTech image of a dollar sign referencing digital transactions and potentially blockchain
Credit: Thinkstock

Attackers managed to steal $23.5 million of three different cryptocurrencies from the decentralized exchange Bancor. Although Bancor was able to mitigate the damages down to $13.5 million, the hacker or hackers are still looking at a future in which they could be millionaires.

The hack, which was detected on Monday, kicked off numerous debates such as whether Bancor is actually a decentralized service. Bancor dubbed itself as a “decentralized liquidity network” and its protocol (pdf) uses smart token contracts.

How the Bancor hack happened

As for what actually happened, Bancor said no user wallets were compromised, but “a wallet used to upgrade some smart contracts was compromised.” The attackers used the compromised wallet to steal $12.5 million of ether, $1 million of Pundi X, and $10 million of Bancor Network Tokens (BNT).

Trying to clarify, Banor added that the 24,984 ETH, worth roughly $12.5 million, “was stolen out of BNT’s connector balance (like a reserve). The rest of the stolen tokens were taken from smart contracts that the breached wallet had access to on the network.”

To understand that clarification, Bancor explained that you must understand how smart tokens work.

“A Smart Token like BNT has price discovery build into the smart contract. By sending the smart contract ETH (essentially buying BNT), new BNT tokens are issued and ETH is stored in a connected balance. When BNT is sent back to the smart contract (essentially selling BNT), the BNT tokens are destroyed and a proportional amount of ETH is removed from the token’s connected balance and sent to the seller,” it said.

After Bancor realized the theft occurred, it frozen the $10 million in BNT.

“The ability to freeze tokens was built into the Bancor Protocol to be used in an extreme situation to recover from a security breach, allowing Bancor to effectively stop the thief from running away with the stolen tokens,” it said.

Is Bancor’s claim that it is decentralized accurate?

But the ability to do that is exactly what kicked off a debate whether Bancor should claim to be truly decentralized.

For example, Charlie Lee, creator of Litecoin, tweeted, “An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization.”

Others, such as bitcoin developer and consultant Udi Wertheimer, regard Bancor’s ability to recover stolen coins as a backdoor.

Without using the term backdoor, yet trying to address the decentralization argument, Bancor attempted to clarify that the ability to freeze stolen BNT was one of the safety measures meant to protect its community and part of a three-year pilot period.

“We firmly believe that this ability is a preventative measure essential to most tokens and necessary to protect the network and token holders in a state of emergency,” it said.

While unable to freeze the other stolen cryptocurrencies, such as the stolen ether (wallet), Bancor is working with “dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for the thief to liquidate them.”

The company believes it will soon reactivate the Bancor Network and appreciates the “healthy debate on the balance between security and decentralization that has ensued.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.