Decentralized exchange (DEX) protocol Bancor Network suffered a security vulnerability late Wednesday, which could have resulted in a loss of around $455,349 worth of user funds. But Bancor soon discovered the issue and migrated the funds to a safe wallet.
Specifically, there was a bug in Bancor’s latest smart contracts, which were deployed two days ago. Therefore, all users who interacted with the exchange protocol in the last 48 hours, were affected.
“Due to the recent vulnerability uncovered in v0.6 contracts, if you traded with Bancor contracts in the past 48h, go to https://approved.zone/ and revoke any approvals from the affected Bancor contract addresses,” said Bancor in its official Telegram channel late Wednesday.
The vulnerability was “critical,” Anton Bukov, CTO of DEX aggregator 1inch.exchange, told The Block. The smart contracts had a public method that allowed anyone to use “infinite approves” to steal user funds, said Bukov. Infinite approves is an ERC-20 feature that allows someone to capture tokens of another wallet.
Indeed, Bancor said in a detailed blog post earlier today that v0.6 contracts “mistakenly made a safeTransferFrom function in the BancorNetwork contract public.”
“Exchange smart contracts like Bancor’s use allowance to interact with user wallets. This is a common practice used by most DAPPs. But in this case, a private function that should have been restricted to the contract alone was made public. This essentially allowed anyone to transfer tokens which were approved only for the contract to transfer,” it added.
Bancor assured that no user funds are at risk from the vulnerability as it initiated a white-hat attack and migrated $455,349 worth of funds to a safe wallet.
“A new network contract was then pushed to ensure that an error like this does not recur. Trading within the system is now back to normal,” it added.
While Bancor initiated the white-hat activity, two arbitrage bots detected the incoming transactions and front-run Bancor with profits of $135,229. Bancor said it is in contact with the owners of these bots and is working with them to return the amounts in exchange for a bug bounty.
Bukov told The Block that the two bots or automatic front-runners are [email protected] and [email protected] It remains to be seen whether these bots return the funds to Bancor.
This is not the first time Bancor has suffered a vulnerability. In 2018, it was hacked and lost $13.5 million worth of funds, which were held in several converter contracts. It initially lost $23.5 million at the time, but around $10 million was saved, resulting in a net loss of $13.5 million.
Correction: Bancor told The Block it did not suffer a hack in 2019, as previously mentioned.
© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.