The release of the Bancor decentralized exchange appears to be exposed to a very malicious bug which can cause a drastic loss of user funds.
The Bancor, which is a decentralized exchange has released a smart contract with a critical vulnerability, to hack itself to save user funds from malicious thefts. The vulnerability affects the latest version of the BancorNetwork smart contract, which was launched on June 16. Users who traded on Bancor and gave a withdrawal approval to its smart contract are forced to revoke it through a specialized website called the approved.zone.
The team revealed that after discovering the issue, they “attacked the contract as a white-hack” in order to dispose of funds at a safe location. According to the tweet by Hex Capital, the issue resulted from the possibility of calling a “safeTransferFrom” without the proper authorization. He also assumed that the team was “too late in many cases” to save funds. This function is the basic elements of the ERC-20 contract because it allows a smart contract to withdraw allowance without the need for user interaction.
Front-runners take advantage of the opportunity:
The 1inch.exchange team found two known front-runners that had set up the front-running bots to take advantage of the opportunity, and were “not able to distinguish arbitrage opportunity from hacking.” However, all the front-runners who are a part are willing to return the money. The 1inch team wrote:
The Bancor team rescued $409,656 in total and spent 3.94 ETH for gas, while automatic front-runners captured $135,229 and spent 1.92 ETH for gas. Users were charged for $544,885 in total.
Audits do not ensure security:
After the incident, some people began questioning the audit of the new smart contracts. In the announcement for the new 0.6 version, Bancor said that a “security audit was underway.” But we all know, audits never ensure full security.