Attackers used a compromised wallet to steal $12.5 million of ether, $1 million of Pundi X, and $10 million of Bancor Network Tokens (BNT). Bancor froze the $10 million BNT, kicking off a debate about whether it is actually a decentralized service. Credit: Thinkstock Attackers managed to steal $23.5 million of three different cryptocurrencies from the decentralized exchange Bancor. Although Bancor was able to mitigate the damages down to $13.5 million, the hacker or hackers are still looking at a future in which they could be millionaires.The hack, which was detected on Monday, kicked off numerous debates such as whether Bancor is actually a decentralized service. Bancor dubbed itself as a “decentralized liquidity network” and its protocol (pdf) uses smart token contracts.How the Bancor hack happenedAs for what actually happened, Bancor said no user wallets were compromised, but “a wallet used to upgrade some smart contracts was compromised.” The attackers used the compromised wallet to steal $12.5 million of ether, $1 million of Pundi X, and $10 million of Bancor Network Tokens (BNT).Trying to clarify, Banor added that the 24,984 ETH, worth roughly $12.5 million, “was stolen out of BNT’s connector balance (like a reserve). The rest of the stolen tokens were taken from smart contracts that the breached wallet had access to on the network.” To understand that clarification, Bancor explained that you must understand how smart tokens work.“A Smart Token like BNT has price discovery build into the smart contract. By sending the smart contract ETH (essentially buying BNT), new BNT tokens are issued and ETH is stored in a connected balance. When BNT is sent back to the smart contract (essentially selling BNT), the BNT tokens are destroyed and a proportional amount of ETH is removed from the token’s connected balance and sent to the seller,” it said. After Bancor realized the theft occurred, it frozen the $10 million in BNT.“The ability to freeze tokens was built into the Bancor Protocol to be used in an extreme situation to recover from a security breach, allowing Bancor to effectively stop the thief from running away with the stolen tokens,” it said.Is Bancor’s claim that it is decentralized accurate?But the ability to do that is exactly what kicked off a debate whether Bancor should claim to be truly decentralized.For example, Charlie Lee, creator of Litecoin, tweeted, “An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization.”A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. 🤦♂️ An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization. https://t.co/22UYygIhEF— Charlie Lee [LTC⚡] (@SatoshiLite) July 10, 2018Others, such as bitcoin developer and consultant Udi Wertheimer, regard Bancor’s ability to recover stolen coins as a backdoor.Based on the currently published details, it seems that the @Bancor hack was enabled by permissioned backdoors that were put in the smart contracts by the team, and were presumably compromised by the attackers. I wrote about them a year ago:https://t.co/ZjMO9Huih4 pic.twitter.com/SnHKseoAnL— Udi Wertheimer 🔨 [#reckless] (@udiWertheimer) July 10, 2018Without using the term backdoor, yet trying to address the decentralization argument, Bancor attempted to clarify that the ability to freeze stolen BNT was one of the safety measures meant to protect its community and part of a three-year pilot period. “We firmly believe that this ability is a preventative measure essential to most tokens and necessary to protect the network and token holders in a state of emergency,” it said.While unable to freeze the other stolen cryptocurrencies, such as the stolen ether (wallet), Bancor is working with “dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for the thief to liquidate them.”The company believes it will soon reactivate the Bancor Network and appreciates the “healthy debate on the balance between security and decentralization that has ensued.”We are close to reactivating the Bancor Network. We appreciate your support and the healthy debate on the balance between security and decentralization that has ensued.— Bancor (@Bancor) July 10, 2018 Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe