Skip to content

Latest commit

 

History

History
67 lines (41 loc) · 4.24 KB

bancor.md

File metadata and controls

67 lines (41 loc) · 4.24 KB

Bancor

Date:: July 9th, 2018

Amount Stolen:: $23,500,000 (24,984 ETH + 229,356,645 NPXS + 3,200,000 BNT)

Tags:: BNT, ETH, NPXS, Switzerland, Private Key Compromise, Admin Key Compromise

Time:: 00:00 UTC

Laundered Via:: Changelly

Details

Wallet used to upgrade smart contracts used to steal $23M

At the beginning of July 2018, hackers attempted to steal $23.5 million in cryptocurrency from the ‘decentralized’ crypto exchange Bancor and got away with $13M. The attempt included $12.5 million in Ethereum along with BNT and NPXS tokens totaling $11 million. Bancor was able to block the transfer of $10M of BNT, Bancor’s native digital currency. This security breach forced the firm to shut down operations. Bancor had been one of the more high-profile Initial Coin Offerings (ICOs) of 2017, raking in $153 million during its token sale event. According to Bancor, a wallet used to update some smart contracts was breached and used to withdraw the cryptocurrency.

Bancor immediately created a coalition with Changelly, through which the hackers tried to withdraw funds. Transactions were frozen there as well.

At 00:00 UTC, Bancor experienced a security breach. A wallet used to upgrade some smart contracts was compromised. This compromised wallet was then used to withdraw ETH from the BNT smart contract in the amount of 24,984 ETH ($12.5M). The same wallet also stole 229,356,645 NPXS ($1M) and 3,200,000 BNT (~$1oM). Once the theft was identified, Bancor was able to freeze the stolen BNT, limiting the damage to the Bancor ecosystem from the theft. It is not possible to freeze the ETH or any other stolen tokens. Primary analysis shows this wallet address and the transaction hash that led to the breach. 22,000 ETH were transferred for a transaction cost of just $0.88 at 61 GWEI. Read the official statement here.

$10m worth of BNT was later recovered.

A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization.

On-Chain

  • Heist executed via private key to the BancorConverter contract: 0x009bb5e9fcf28e5e601b7d0e9e821da6365d0a9c
  • Bancor Hacker - 0x33ed22f4b6b05f8a5faac4701550d52286bd735a
  • Bancor Sitting - 0x8ddfdf60aaffe05c623ba193a186abd1f8024946
  • 0xbceaa0040764009fdcff407e82ad1f06465fd2c4 Bancor Laundry
  • 0xd294ac18b524ff59ab7fffcbd459f11128220550 - Huobi Depo - also used for Cryptopia stolen funds (0xd96ba527be241c2c31fd66cbb0a9430702906a2a)
  • 0xfe61ad22a847c4df702731c7d5e803d283ea1376 - Huobi Depo - also used for Cryptopia stolen funds (0xd96ba527be241c2c31fd66cbb0a9430702906a2a) and Klickl / IDCM (0xec4ac9f8125ddda87c75e82f96f4cda1859eb2d7) stolen funds
  • 0xf27b6923ed24eed02de7686962339db00a52d2aa - Converges with Cypherium / Taylor ICO
  • 0x43a964e635f31b0cc329db6f980f09096054e4e3a627c85654852fd026b92ba0
  • 0x2c281aa4ee30d4d0a5dcd77bb80bc66f13d027bb828f5e4b3be7ff8bd47999a2
  • 0x8dfeb86c7c962577ded19ab2050ac78654fea9f7 - Bancor Vulnerable Contract
  • 0x5f58058c0ec971492166763c8c22632b583f667f - Bancor Vulnerable Contract
  • 0x923cab01e6a4639664aa64b76396eec0ea7d3a5f - Bancor Vulnerable Contract
  • 0xf27b6923ed24eed02de7686962339db00a52d2aa - Bancor - Huobi Laundry
  • 0x39d9f4640b98189540A9C0edCFa95C5e657706aA - Bancor - Laundry - it's some service
  • 0xD294aC18B524ff59aB7ffFcbD459f11128220550 - Bancor - Laundry
  • 0xbceaa0040764009fdcff407e82ad1f06465fd2c4 - Bancor

URLs