articleStartImage

The Bancor Network decentralized exchange is operational again, reaching trading volumes of about $2.5 million in 24 hours, as per data from CoinMarketCap. The Bancor project was on lockdown for more than a day after a compromised wallet took advantage of a smart contract.

https://twitter.com/Bancor/status/1017147170330480641

After the news, the Bancor Network Token (BNT) market price remained subdued, sinking to $2.05 at around 9:00 UTC. The value of BNT has been sliding for a month, unraveling from around $3.62 as the bear market wiped out altcoins again.

 

The exploit was predicted a long time ago by experts looking into the smart contracts, but Bancor said the likelihood was low. Yo Sub Kwon, founder and CEO of smart contract security firm Hosho, believes Bancor did not take all precautions:

“From the fact that Bancor claims a wallet was hacked and then was able to steal from a smart contract exploits a weakness that has always existed with their smart contracts. That weakness is how far-reaching a single wallet has been allowed to be. Their smart contracts allow for nearly unlimited control to the owners and apparently their ability to protect their wallets is inadequate,” Kwon commented in an emailed statement to Cryptovest, going on to add:

“Any large source of funds or access to powerful smart contracts should at the minimum be using multi-signature verification.”  

Bancor clarified that, in fact, no user wallet has been hacked, the exploit affecting instead the so-called Bancor connector balance, a reserve wallet belonging to the exchange. Through that reserve, the minting and burning of BNT tokens was made possible.

The smart contract that was exploited also had access to other smart contracts, hence the theft of Pundi X (NPXS) tokens.

https://twitter.com/Bancor/status/1017012630639259654

While the stolen Ethereum is not retrievable, the wallet holding the haul has been identified and put on watch. Another address - tagged Fake_Phishing1701 - is transferring small amounts of ETH. The Bancor exploit is yet another reminder that smart contract security is still overlooked, and there may be many others that are vulnerable.