Bancor Drains $455,000 of User Funds After Discovering Vulnerability
Bancor's latest update revealed critical vulnerabilities.
Share this article
The Bancor team has discovered a vulnerability in its latest smart contract update. To protect user funds, the team drained BNT tokens from affected users’ wallets.
Members of the crypto community have, however, pointed to non-Bancor related addresses walking off with over $100,000 in affected funds. The Bancor team has identified these addresses as arbitrage bots.
Bancor Identifies Vulnerability
“Dear community, Last night [June 17, 2020] at 12:00 AM GMT, a vulnerability was discovered in a new version of the BancorNetwork v0.6 smart contract deployed on June 16, 2020,” reads a message on Bancor’s official Telegram channel.
Wallets that have interacted with Bancor within the past 48 hours are at risk.
In the same note as the above announcement, users are also guided through a process for how to recover these funds. The team confirmed that the smart contract has been updated, audited, and redeployed.
Hex Capital, a San Francisco-based crypto VC and trading firm, broke the news before Bancor.
— hexcapital.eth (@Hex_Capital) June 18, 2020
The venture firm went on to report that “not all funds are safe,” despite Bancor’s announcement. “Not all user funds were migrated safely. See this tx by a non-Bancor controlled address draining nearly $100k of user funds in BNT,” Hex tweeted.
The address in question leads to a wallet that is not listed as a Bancor address. It also shows several BNT token transactions linked to user accounts. The total of these transactions is roughly ~$130,000.
It was unclear initially whether this behavior was that of a whale or if it is explicitly related to the latest vulnerability. Bancor’s CTO, Yudi Levi, has since cleared up the identity behind these funds.
He wrote in a Medium post after the event:
“Alongside our white-hat activity, two additional arbitrage bots detected the incoming transactions, leading to the transactions being front-run by these bots with profits of $135,229. We have since been in contact with the owners of these bots and are working with them to return the amounts to the rightful owners in exchange for a bug bounty.”
Since the news was announced, the BNT price has dropped from ~$0.82 to ~$0.78.
This article will be updated as new information becomes available.
Update: This article has been updated at 14:30 UTC+1 to include more details about the event from the Bancor team.