Bancor Network Hack 2020

A critical bug in three recently deployed versions of the Bancor Network smart contract has led to a loss of user funds.

Due to the bug, all Bancor Network users who did direct swap of their ERC20 assets shortly after the deployment of the smart contracts, made infinite approvals of their tokens to one of these smart contracts. And the smart contracts had a public method that allowed anyone to use these approvals to steal user funds.

It is still unsafe for users to hold tokens in the wallets before they cancel their infinite approvals. Users should use https://approved.zone to see all ERC20 approvals to the vulnerable Bancor smart contracts.

Rescue attempts

Apparently, the Bancor Team or some white hackers discovered this issue before anyone could begin draining user wallets and made attempts to rescue user funds by withdrawing them from user wallets.

Subsequently, two automatic front-runners joined in, helping the Bancor Team to withdraw funds from user wallets. We discovered contact information of all the front-runners and we believe they potentially agree to return the stolen funds since their automatic software is not able to distinguish an arbitrage opportunity from hacking.

We used Dune Analytics to analyze all the smart contract calls: https://explore.duneanalytics.com/public/dashboards/mEUEd9rQCPjeMkryEIgbtC0YUZwOXESQPTkkqdPX

As a result, we discovered the following vulnerable smart contracts:

• 0x8dfeb86c7c962577ded19ab2050ac78654fea9f7
• 0x5f58058C0eC971492166763c8C22632B583F667f
• 0x923cab01e6a4639664aa64b76396eec0ea7d3a5f

And these are Bancor Team wallets used for the withdrawal of user funds:

• 0xc8021b971e69e60c5deede19528b33dcd52cdbd8
• 0x14fa61fd261ab950b9ce07685180a9555ab5d665

Finally, these front-runner wallets were used to withdraw funds:

• 0x052ede4c2a04670be329db369c4563283391a3ea
• 0x1ad1099487b11879e6116ca1ceee486d1efa7b00
• 0x854b21385544c44121f912aedf4419335004f8ec

How it worked

On June 18, at 03:06 am UTC, the Bancor team began to exploit a breach by producing batched transactions with temporary smart contracts (0xdba03739b4a29594fd3c89881caffa1862ce4bd630ed5f849b9f22707332e59e). They conducted 62 transactions, withdrawing a total of $409,656.

An automatic front-runner registered with the email address arden43y@gmail.com joined in almost immediately and successfully front-runned the Bancor team transactions (0x29142513a7926a326ee726f167cb611a8c2f579255dd9d0d8fc598a369836347). A total of 16 withdrawal transactions were conducted for a total of $131,889.34.

At 03:09am UTC, another front-runner, associated with the email address 0x9799b475dec92bd99bbdd943013325c36157f383@riseup.net, joined the party and conducted four successful transactions, grabbing a total of $3,340:

• 0x03dbfdc1c043afbc24537bb12a9ead5779b242da26e9acdf00e7cc967e3b9d81 — $820
• 0xc07cfb0ad175bdb0c23b53e4fe8c8a61924d45760d0214c976dd84c656d7774b — $390
• 0xf17e0025cfa680a1bd3e5c41ef44bf8d716724e0b626ba658b111451bf0e0815 — $630
• 0xe1c94a9af2d5685a1bee89b40d3e7f8e047b9d6a6ef8fc1075e956afd793ef45 — $1500

The Bancor Team continued to withdraw user funds with both front-runners almost every minute until 06:56 am UTC.

At 05:54 am UTC, another Bancor Team wallet joined the operation: 0x14fa61fd261ab950b9ce07685180a9555ab5d665.

Multiple security audits by established security audit companies are vital for keeping users’ digital assets safe and secure. To avoid situations similar to this, we also suggest hiring white hackers for Red Team Penetration Tests.

Meanwhile, the Bancor team spent 3.94 ETH to rescue $410,194 of user funds, and the automatic front-runners spent 1.92 ETH to grab $135,229 of user funds. User wallets were drained for $545,423 in total.

We hope that the front runners will return the withdrawn user funds to the Bancor Team, who would in turn reimburse the affected users. Security of digital assets should always be a major concern for all legitimate players in the crypto space!