Bancor, a decentralized ERC20 exchange, in a statement released earlier today let its community know that a vulnerability in its network had been exploited by hackers who stole 24,984 ETH (worth approximately $11,815,683, at index prices), $1 million of NPXS and $10 million worth of Bancor tokens.
Bancor says it was able to freeze the stolen BNT tokens once the theft was identified but that it was not possible to “freeze the ETH or any other stolen token.”“ Bancor says no user funds were compromised during the attack and it is working with other exchanges in an attempt to trace the stolen funds and “make it more difficult for the thief to liquidate them”.
The attack has added significance because Bancor is a decentralized exchange, meaning that no counterparty is holding customer funds and withdrawals occur without the need for conversion. Bancor’s exchange is operated using Ethereum smart contracts and a pricing mechanism using the exchange’s native BNT token.
In the announcement on its official Twitter page Bancor states that the incident arose when “a wallet used to upgrade some smart contracts was compromised, this compromised wallet was then used to withdraw ETH from the BNT smart contract”.
The wallet containing the stolen crypto can be viewed here.
Roman Storm, a Solidity engineer at POA Network says the most important thing to understand about the breach is “how the hacker got the owner’s private key.” Once that was achieved he says the thief probably followed the following process:
Bancor has said that a longer statement will be released as more information becomes available.
Bancor has been a well-received Dex project that raised $153 million in three hours on June 12, 2017. It has provided easy access for crypto enthusiasts into ERC20 markets, with a popular user experience, and has had sustained relevance as one of Ethereum’s most popular exchange Dapps.