2020-6-18 19:33 |
San Francisco-based Hex Capital reported that “User funds being drained due to unauthenticated safeTransferFrom() function on their new BancorNetwork contract.” Bancor then tried to “white-hat” drain user funds but were too late.
However, as per Bancor’s official response on the security incident all funds are safe as they were successful in the white-hat attack and migrated $455,349 of funds at risk to a safe wallet.
The team discovered the vulnerability in the new version of BancorNetwork v0.6 contract, which was deployed the day before the attack.
The contracts mistakenly made a safeTransferFrom function in the Bancor Network contract public, which use allowance to interact with user wallets, a common practice used by most Dapps.
In this particular case, a private function was made public when it should have been restricted to the contract alone, allowing anyone to transfer tokens which were approved only for the contract to transfer, explained the team.
After the successful white-hat attack, Bancor pushed a new network contract and removed the infinite approval.
However, two arbitrage bots detected the income transactions and made a profit of $135, 229 by front-running the transactions. Bancor is currently in contact with the bots’ owners to “return the amounts to the rightful owners in exchange for a bug bounty.”
Bancor also awarded a bug bounty to DEX Aggregator 1inch team for helping with the situation.
Trading is now back to normal on the system.The incident however pushed Bancor (BNT) token prices down by 6.64% to $0.778 while other DeFI tokens are enjoying substantial greens. BNT is still up 227% YTD.
Security research manager Tal Be’ery, co-founder or ZenGo said he warned about the risks of the approval exploit three months ago.
#BaDAPProve: 3 months ago we @ZenGo warned about it. Today it happened @Bancor.https://t.co/j52C0DFg9y
"if the DApp is vulnerable to a security issue attackers can abuse these highly excessive privileges to steal ALL of the DApp’s users holdings" https://t.co/nvyLbbZkS5 pic.twitter.com/5FFnRzsqI6
— Tal Be'ery (@TalBeerySec) June 18, 2020
This is not the first time a DeFi project has been at security risk. In 2020, there have been several cases where millions have been lost calling for the projects in the DeFi space to better their security standards.
Meanwhile, Melody He, co-founder of The Spartan Group, a crypto hedge fund which is an active investor in Defi maintains,
“Defi will become source of new revenue and inspiration. Whoever understands the power of Defi, will have a higher chance of keeping their competitive edge.”
origin »World Trade Funds (XWT) на Currencies.ru
|
