Bancor, an Israeli startup and decentralized cryptocurrency trading platform, has been dealing with a major vulnerability in its code that could pose its user funds at risk. 

The liquidity provider discovered a vulnerability on its new smart contract protocol BancorNetwork v0.6, which was deployed as recently as June 16th. DeFi tweeted that funds from Bancor were being drained and that they were monitoring the situation closely.

Breaking: looks like @Bancor is being drained right now 🚨#defi #ethereum

h/t @Hex_Capital

It's developing situation and need to be monitored closely

— defiprime (@defiprime) June 18, 2020

The company itself responded to the issue minutes later, saying that a vulnerability was detected last night at 12:00 AM GMT and that a new version of BancorNetwork contract was deployed in order to fix the issue. 

After learning about the vulnerability, it was decided to attack the affected contract with a white-hack and withdraw all of the funds in it. This way, Bancor was able to both mitigate any risks and keep the funds remaining in the contract safe. 

In the official Bancor Telegram channel, users that have interacted with Bancor in the last 48 hours have been asked to follow steps to determine whether or not their wallets were affected. 

The company advised users to search below mentioned three smart contract addresses on the page of their Bancor wallet and revoke all approvals to the affected contracts if they discover any.

– 0x8dFEB86C7C962577deD19AB2050AC78654feA9F7

– 0x5f58058C0eC971492166763c8C22632B583F667f

– 0x923cAb01E6a4639664aa64B76396Eec0ea7d3a5f

Initial data from Ethereum blockchain explorer Etherscan showed that almost $460,000 worth of various ERC-20 tokens have been withdrawn by the company.

Hex Capital, a venture capital and trading firm based in San Francisco, noted that some funds were moved from the contract to an address that most likely doesn’t belong to Bancor. However, the company later clarified that the transaction was actually sent by Bancor in an attempt to “white-hard drain user funds before someone else can.” 

The company confirmed on their Telegram channel that the address mentioned by Hex Capital was of the front-runner arbitrage bot. Two arbitrage bots front-running Bancor ended up with a profit of over $135,000. The company is trying to retrieve the funds from them and offer them a bug bounty instead.

And while the company managed to keep most of the funds in the affected smart contract safe, the price of its native token, BNT, took a heavy hit. According to data from CoinMarketCap, the coin saw its price drop more than 9% in the past 24 hours. While it started off Jun. 17 with a price of around $0.85, it dropped to just $0.77 at press time. 

  Graph showing Bancor’s price from Jun. 17 to Jun. 18.  (Source: CoinMarketCap)

Hartej Sawhney, a security expert and CMBDO at Qredo told 8BTC that it’s not the first time Bancor has suffered an attack and it’s important for crypto firms to undergo multiple security audits. He said in its current form, the DeFi system is “a giant bug bounty program where hackers can get the largest rewards in the fastest time.”

Bancor suffered a security breach in 2018. Back then, the company lost more than $13.5 million after hackers managed to access the wallet used to upgrade smart contracts and withdraw all of the funds from it.

The attack is ironic in nature because it came from the function with name starting from ‘safe’ – “safeTransferFrom”.