Another day, another hacking scandal, it would seem. This time, the victim of the attack was an Israeli startup cryptocurrency exchange called Bancor.
The hackers got away with a total of over $23 million worth of cryptocurrency. The majority of their loot comprised of Ether (ETH), worth around $13.5 million. The remaining ten million was the exchange’s native Bancor tokens called BNT.
The hackers also managed to secure around $1 million worth of a lesser known token called Pundi X. As a result, the value of Ethereum has plummeted by 7.7% in the aftermath. However, Pundi X has lost nearly double that and lost 15% of its value as a consequence of the hacking.
Bancor releases an official statement
The official statement as released by Bancor via their Twitter account reads as follows:
Earlier today, at approximately 00:00, Bancor experienced a security breach. We take this incident very seriously. We are committing every resource to resolving it, getting the network back online and tracking down the criminals involved.
The statement went on to detail the hacking incident:
A wallet used to upgrade some smart contracts was compromised. This compromised wallet was then used to withdraw ETH from the BNT smart contract in the amount of 24,984 ETH (~$12.5M). The same wallet also stole: 229,356,645 NPXS (~$1M) and 3,200,000 BNT (~$10M).
Some of the tokens were frozen
Bancor was able to do some damage control once they discovered that the hackers had gained access to their wallet:
Once the theft was identified, we were able to freeze the stolen BNT, limiting the damage to the bancor ecosystem from the theft. The ability to freeze tokens was built into the Bancor Protocol to be used i an extreme situation to recover from a security breach, allowing Bancor to effectively stop the thief from running away with the stolen tokens.
Whilst Bancor was able to secure their own tokens, holder of Ethereum and Pundi X were not so lucky:
It is not possible to freeze the TH or any other stolen tokens. However, we are now working together with dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for the thief to liquidate them.
How did the hackers do it?
It would seem that the Ethereum smart contract technology is both a blessing and a curse. Because the hackers were able to gain access to the Bancor wallet, they could abuse the self-executing contracts to steal tokens. This is a negative side of smart contracts that could potentially affect numerous ICOs that utilize the technology.
For Bancor as an organization, this incident is not reflecting very well on them. Users of any service trust the companies to take great care of their data and, more importantly, their money. If traders can no longer trust exchanges to do that, they will quickly go out of business.
Bancor is not without its critics, either. Last year, Kyle Samani from Multicoin Capital had the following to say about the Bancor project:
For assets that actually have value, there will be a market. For assets that people don’t want to buy. Why should there be some pity-based programmatic market maker to provide liquidity? My inner capitalist is just dumbfounded by the concept of Bancor.