The Bancor Hack / Bancor v3 Bug Bounty Program

Introduction

The Bancor compromise, commonly referred to as the Bancor hack, was a data breach that affected the cryptocurrency platform, Bancor, on July 9th, 2018. The attack resulted in the theft of over $23 million in cryptocurrency, disrupting online trading and investors’ confidence in Bancor’s security. This article will first detail the timeline of the attack and the steps Bancor took afterwards. It will then explain the techniques used by the attackers to compromise Bancor, as well as the implications for users’ safety and the measures Bancor has taken to protect themselves. The article will also discuss the recent launch of Bancor’s new v3 bug bounty program and how it may help protect against future attacks.

Timeline of the attack

On July 9th, 2018, a hacker was able to exploit a vulnerability in Bancor’s smart contracts and steal over $23 million worth of Ethereum and numerous other cryptocurrencies. The attacker first gained access to the Bancor network by hacking the credentials of a user with administrator-level permissions. They then gained access to the Bancor Smart Token contract and created fraudulent transactions to transfer the funds out of the Bancor wallets.

Once the attack was discovered, Bancor quickly took action to minimize the damage. It suspended all services, paused all trading, and immediately contacted the relevant authorities and security researchers. They also worked diligently to restore the service and return funds to their rightful owners.

Exploitation examples

The attack on Bancor demonstrates the significant risks associated with storing funds on centralized exchanges. It showcases the ease with which malicious actors can gain access to restricted data and execute fraudulent trades without the user’s knowledge.

The attack was enabled by the use of three separate vulnerabilities:

• Replay attack: The attacker exploited a vulnerability in the Bancor smart contract code which allowed them to use the same transaction multiple times. This is known as a replay attack and is a technique used to bypass security protocols.

• Privileged user attack: The attacker was also able to exploit a privileged user account with administrator level permissions. These permissions allowed them to access and manipulate Bancor’s smart contracts.

• Front running attack: Finally, the attacker exploited another vulnerability in the Bancor smart contract code which allowed them to “front run” certain transactions, i.e. execute a transaction before the legitimate user and profit from the difference in price. This is known as a ‘front-running’ attack and is a common tactic used by malicious actors.

Safety for users

In the wake of the attack, Bancor has taken several steps to bolster their security and protect the safety of their users. They have implemented safety protocols and increased surveillance of their wallet infrastructure. In addition, they have launched an internal security review of all their trading processes, wallets, and smart contracts.

Bancor v3 bug bounty program

Most recently, Bancor has launched a bug bounty program as part of their v3.0 upgrade. This program will reward researchers and hackers for finding and reporting any vulnerabilities within their platform. It is a move towards a more transparent system and will hopefully help to protect against future cyber-attacks.

Conclusion

The Bancor compromise is a reminder of the vulnerability of centralized exchanges and the importance of proper security measures. Bancor has taken steps to protect their users and bolster their security protocols. The recent launch of their v3 bug bounty program is a promising step in the right direction and a reminder that cybersecurity should not be taken lightly. More information on this can be found here:

https://bancor.medium.com/bancor-3-bug-bounty-6d2ff382a821