As you all may have heard in the news, yesterday was a major hack on the Bancor network, resulting in another market downturn.
The total amount stolen was:

  • 24,984 ETH (~$12.5M)
  • 3,200,000 BNT (~$10M)
  • 229,356,645 NPXS (~$1M)
Overall view of funds stolen in the past 48 hours as audited through Etherscan

After the hack, Charlie Lee tweeted:

“A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization.”

If this were a bank heist it would take months for details of the heist to be made public, but with the transparency of the blockchain we can audit the hack now by tracing the hackers transactions, and see how Bancor managed to “freeze” the stolen BNT.

In a short amount of time the hacker moved the stolen funds into the following account:

https://etherscan.io/address/0x33ed22f4b6b05f8a5faac4701550d52286bd735a

Etherscan labels this account as Fake_Phishing1701

Starting with the ETH, it got stolen from 3 separate addresses:

  • 22,450 ETH from 0xc0829421C1d260BD3cB3E0F06cfE2D52db2cE315 (ETH Victim 1)
  • 1,950 ETH from 0x009BB5e9fCF28E5E601B7D0e9e821da6365d0a9c (ETH Victim 2)
  • 542 ETH from 0x5Aa9e9De3E667Ad79A097b4b75ccdE10Acb7F930 (ETH Victim 3)

This address 0xc0829421C1d260BD3cB3E0F06cfE2D52db2cE315 (ETH Victim 1) is not a regular ethereum wallet, but rather a smart contract called ether token, which is owned by Bancor.

The hacker stole most of the BNT from the following 2 wallets:

  • 1.46M BTN from 0x0024d891047e844186758F89EB2F4DcFBB02C952 (BNT Victim 1)
  • 853k BNT from 0x009BB5e9fCF28E5E601B7D0e9e821da6365d0a9c (BNT Victim 2)

The hacker also stole some BNT and all the NPXS from this smart contract https://etherscan.io/address/0x2d56d1904bb750675c0a55ca7339f971f48d9dda
This contract is labeled as the BancorConverter.

This BNT Victim 2 wallet is the most important address in this hack:

https://etherscan.io/address/0x009bb5e9fcf28e5e601b7d0e9e821da6365d0a9c

as it was the original creator of the Bancor Token contract. Tracking it’s transaction history, you can see this wallet had created many Bancor related smart contracts, and instantly becoming the owner of those contracts. Being the owner of a smart contract essentially gives you admin access to that contract.

Thankfully this wallet is not the current owner of the Bancor token contract. The wallet that does own this token contract has the ability to issue and destroy tokens, basically play god in the Bancor network.

Taking a closer look at the Bancor token contract, it has two important functions called Destroy and Issue:

function destroy(address _from, uint256 _amount)

@dev removes tokens from an account and decreases the token supply can only be called by the contract owner

function issue(address _to, uint256 _amount)

@dev increases the token supply and sends the new tokens to an account can only be called by the contract owner

These two functions are what make Bancor centralized. It basically allows Bancor to destroy BNT tokens from a specific ethereum wallet, or issue new BNT tokens into an ethereum wallet. Destroying tokens is the equivalent of god reaching into someones wallet and poof the funds in that wallet do not exist anymore. Issuing tokens is the opposite, where god creates funds out of thin air and puts it into someones wallet.

Many criticize Bancor for making their token centralized, however the one plus side is that it allowed Bancor to recover the stolen BNT quickly from the hacker.

The biggest concern though with Bancor being this centralized is that it will always have a central point of failure. If ever a hacker gains control of the Bancor token contract, it is game over. That is worse than a 51% attack in Bitcoin, as it would make the hacker the god in the Bancor network, and everyone would lose trust in the Bancor network.

Taking a look at the Bancor token contract, you can see Bancor changed the owner of the token contract twice over the past few days, likely as a security concern. The current owner of their token contract is this multi-sig wallet:
https://etherscan.io/address/0x9d0357d184122b85dbc095d196b5ebbafc7f3010#readContract

As you can see it is a 2/4 multi-sig that controls the Bancor network. So all a hacker has to do is compromise two of those wallets, and it is game over.

I’ve been around this space since 2012 and it’s unfortunate that even after all these years, these hacks are common. This is why at Formosa Financial we take security around our custody offering more than seriously and partner with the industry leaders in digital custody to ensure the security of our customer funds at all time.

In the coming months we will share more details on our product offerings and how we will help Blockchain innovators manage their funds.

We’ll be sharing more posts like these on custodial solutions as we launch https://www.formosa.financial/ an institutional grade digital management tool for blockchain innovators. Please join our social communities for up to minute updates and news:
Telegram: 
https://t.me/formosafinancial
Twitter: 
https://twitter.com/formosaofficial
Facebook: 
https://www.facebook.com/formosa.financial/

*Note omitted out a few smaller transactions of stolen funds as they were less impactful to the audit.*