Attackers managed to steal $23.5 million of three different cryptocurrencies from the decentralized exchange Bancor . Although Bancor was able to mitigate the damages down to $13.5 million, the hacker or hackers are still looking at a future in which they could be millionaires.
The hack, which was detected on Monday, kicked off numerous debates such as whether Bancor is actually a decentralized service. Bancor dubbed itself as a “decentralized liquidity network” and its protocol ( pdf ) uses smart token contracts.How the Bancor hack happened
As for what actually happened, Bancor said no user wallets were compromised, but “a wallet used to upgrade some smart contracts was compromised.” The attackers used the compromised wallet to steal $12.5 million of ether, $1 million of Pundi X, and $10 million of Bancor Network Tokens (BNT).
Trying to clarify, Banor added that the 24,984 ETH, worth roughly $12.5 million, “was stolen out of BNT’s connector balance (like a reserve). The rest of the stolen tokens were taken from smart contracts that the breached wallet had access to on the network.”
To understand that clarification, Bancor explained that you must understand how smart tokens work.
“A Smart Token like BNT has price discovery build into the smart contract. By sending the smart contract ETH (essentially buying BNT), new BNT tokens are issued and ETH is stored in a connected balance. When BNT is sent back to the smart contract (essentially selling BNT), the BNT tokens are destroyed and a proportional amount of ETH is removed from the token’s connected balance and sent to the seller,” it said.
After Bancor realized the theft occurred, it frozen the $10 million in BNT.
“The ability to freeze tokens was built into the Bancor Protocol to be used in an extreme situation to recover from a security breach, allowing Bancor to effectively stop the thief from running away with the stolen tokens,” it said.Is Bancor's claim that it is decentralized accurate?
But the ability to do that is exactly what kicked off a debate whether Bancor should claim to be truly decentralized.
For example, Charlie Lee, creator of Litecoin, tweeted , “An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization.”
A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. ♂
An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It's a false sense of decentralization. https://t.co/22UYygIhEF― Charlie Lee [LTC:zap:] (@SatoshiLite) July 10, 2018
Others, such as bitcoin developer and consultant Udi Wertheimer, regard Bancor’s ability to recover stolen coins as a backdoor.
Based on the currently published details, it seems that the @Bancor hack was enabled by permissioned backdoors that were put in the smart contracts by the team, and were presumably compromised by the attackers.
I wrote about them a year ago: https://t.co/ZjMO9Huih4 pic.twitter.com/SnHKseoAnL― Udi Wertheimer :hammer: [#reckless] (@udiWertheimer) July 10, 2018
Without using the term backdoor, yet trying to address the decentralization argument, Bancor attempted to clarify that the ability to freeze stolen BNT was one of the safety measures meant to protect its community and part of a three-year pilot period.
“We firmly believe that this ability is a preventative measure essential to most tokens and necessary to protect the network and token holders in a state of emergency,” it said.
While unable to freeze the other stolen cryptocurrencies, such as the stolen ether (wallet) , Bancor is working with “dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for the thief to liquidate them.”
The company believes it will soon reactivate the Bancor Network and appreciates the “healthy debate on the balance between security and decentralization that has ensued.”
We are close to reactivating the Bancor Network. We appreciate your support and the healthy debate on the balance between security and decentralization that has ensued.― Bancor (@Bancor) July 10, 2018