A critical bug in three recently deployed versions of the Bancor Network smart contract has led to a loss of user funds.
Due to the bug, all Bancor Network users who did direct swap of their ERC20 assets shortly after the deployment of the smart contracts, made infinite approvals of their tokens to one of these smart contracts. And the smart contracts had a public method that allowed anyone to use these approvals to steal user funds.
It is still unsafe for users to hold tokens in the wallets before they cancel their infinite approvals. Users should use https://approved.zone to see all ERC20 approvals to the vulnerable Bancor smart contracts.
Apparently, the Bancor Team or some white hackers discovered this issue before anyone could begin draining user wallets and made attempts to rescue user funds by withdrawing them from user wallets.
Subsequently, two automatic front-runners joined in, helping the Bancor Team to withdraw funds from user wallets. We discovered contact information of all the front-runners and we believe they potentially agree to return the stolen funds since their automatic software is not able to distinguish an arbitrage opportunity from hacking.
We used Dune Analytics to analyze all the smart contract calls: https://explore.duneanalytics.com/public/dashboards/mEUEd9rQCPjeMkryEIgbtC0YUZwOXESQPTkkqdPX
As a result, we discovered the following vulnerable smart contracts:
And these are Bancor Team wallets used for the withdrawal of user funds:
Finally, these front-runner wallets were used to withdraw funds:
How it worked
On June 18, at 03:06 am UTC, the Bancor team began to exploit a breach by producing batched transactions with temporary smart contracts (0xdba03739b4a29594fd3c89881caffa1862ce4bd630ed5f849b9f22707332e59e). They conducted 62 transactions, withdrawing a total of $409,656.
An automatic front-runner registered with the email address email@example.com joined in almost immediately and successfully front-runned the Bancor team transactions (0x29142513a7926a326ee726f167cb611a8c2f579255dd9d0d8fc598a369836347). A total of 16 withdrawal transactions were conducted for a total of $131,889.34.
At 03:09am UTC, another front-runner, associated with the email address firstname.lastname@example.org, joined the party and conducted four successful transactions, grabbing a total of $3,340:
- 0x03dbfdc1c043afbc24537bb12a9ead5779b242da26e9acdf00e7cc967e3b9d81 — $820
- 0xc07cfb0ad175bdb0c23b53e4fe8c8a61924d45760d0214c976dd84c656d7774b — $390
- 0xf17e0025cfa680a1bd3e5c41ef44bf8d716724e0b626ba658b111451bf0e0815 — $630
- 0xe1c94a9af2d5685a1bee89b40d3e7f8e047b9d6a6ef8fc1075e956afd793ef45 — $1500
The Bancor Team continued to withdraw user funds with both front-runners almost every minute until 06:56 am UTC.
At 05:54 am UTC, another Bancor Team wallet joined the operation: 0x14fa61fd261ab950b9ce07685180a9555ab5d665.
Multiple security audits by established security audit companies are vital for keeping users’ digital assets safe and secure. To avoid situations similar to this, we also suggest hiring white hackers for Red Team Penetration Tests.
Meanwhile, the Bancor team spent 3.94 ETH to rescue $410,194 of user funds, and the automatic front-runners spent 1.92 ETH to grab $135,229 of user funds. User wallets were drained for $545,423 in total.
We hope that the front runners will return the withdrawn user funds to the Bancor Team, who would in turn reimburse the affected users. Security of digital assets should always be a major concern for all legitimate players in the crypto space!