Bancor has suffered an alleged cyberattack in which threat actors reportedly attempting to steal $23.5 million in cryptocurrency.
This week, the start-up said that a wallet being used to “upgrade” smart contracts was compromised. This wallet was then used to withdraw $12.5 million in Ethereum (ETH), alongside $1 million in Pundi X (NPXS) and $10 million in Bancor Network Tokens (BNT).
See also: The return of Spectre
Bancor says that once the compromised wallet was identified the company was able to mitigate the damage by freezing the transfer of BNT, bringing the cost down to roughly $13.5 million.
The start-up says it was “not possible” to freeze or prevent the theft of the Ether tokens.
“We are now working with dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for the thief to liquidate them,” Bancor added.
However, the alleged theft of three different kinds of cryptocurrency from the platform has raised questions as to the nature of the apparently decentralized service.
Bancor calls itself a “decentralized liquidity network” which maintains “continuous liquidity for cryptographic tokens through smart contracts.”
According to the start-up’s protocol specification sheet (.PDF):
“These Smart Tokens have one or more connectors to a network that hold balances of other tokens, allowing users to instantly purchase or liquidate a Smart Token for any of its connected tokens directly through the Smart Token’s contract, at a price that is continuously recalculated to balance buy and sell volumes.”
Bancor drew on these principles in a further post which attempted to clarify what had occurred.
The company said that no customer-owned wallets were compromised. Instead, the alleged hacker stole the ETH balance from Bancor’s “connector balance,” which acts as a reserve for the smart contract setup.
The remaining balance was stolen from the smart contracts connected to the compromised wallet on the network.
“A Smart Token like BNT has price discovery build into the smart contract,” Bancor says. “By sending the smart contract ETH (essentially buying BNT), new BNT tokens are issued and ETH is stored in a connected balance. When BNT is sent back to the smart contract (essentially selling BNT), the BNT tokens are destroyed and a proportional amount of ETH is removed from the token’s connected balance and sent to the seller.”
TechRepublic: Mini-glossary: Cryptocurrency terms you need to know
According to the firm, this is why it was able to freeze some of the transaction. The ability to freeze tokens has apparently been built into the smart contract trading system which in “extreme” situations allows the start-up to stop a transfer.
However, others have cast doubt on whether the platform can truly be considered decentralized if this theft was allowed to occur, as well as Bancor holding the ability to freeze transactions, for good or ill, in the first place.
Charlie Lee, the creator of Litecoin, has called Bancor a “false sense of decentralization,” commenting:
“An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization.”
On social media, users appear relieved that their own funds are safe. Bancor is now back online and says that tokens will gradually be reintroduced to the platform, starting with the BNT/ETH converter.
CNET: Sirin Finney phone pops up hidden second screen for cryptocurrency security
Previous and related coverage
Adobe fixes over 100 vulnerabilities in latest security patch update BlackTech threat group steals D-Link certificates to spread backdoor malware User data exposed in Domain Factory hosting security breach