Bancor’s price is currently down some 16% after the platform was hacked at around 1AM London time on July 10th.
Around 25,000 eth was stolen. They also stole 3.2 million Bancor (BNT) tokens and another 230 million Pundi X (NPXS) tokens, with the latter being a little known crypto payments project.
“A wallet used to upgrade some smart contracts was compromised,” Bancor said, giving little further detail on what exactly happened with the project stating they are still investigating the breach.
There is speculation someone managed to access their private key. Bancor has not replied to our requests for comments, but if it was a theft of their private keys then there must have been some serious oversight on the part of Bancor.
The crypto broker platform is currently down for maintenance. Moreover Bancor has utilized a fail-safe mechanism to freeze all Bancor Network Tokens (BNT). A Bancor support personnel from Amazix says:
“Bancor is decentralised and does not hold your funds. You can always access your wallet, it’s just that the conversions are not available. BNT were frozen through smart-contract.”
The ethereum address of the thief has been identified. From what we can briefly see, it looks like the thief is moving the coins around, probably to escape tracking.
Bancor says they are working with exchanges to make it difficult for the thief to liquidate the funds, but do not name the exchanges.
Hopefully it includes Binance as that has been a favorite destination for thieves recently, but with other decentralized exchanges running and with Shapeshift like conversions, tracking might not be too easy.
Bancor’s ability to freeze the tokens and to take down the platform has been criticizes as being centralized, but updatable smart contracts now are more and more blurring that line between centralization and decentralization.
Plus it is understandable that in the early stages they would want a fail safe mechanism for these sort of cases, but what remains very puzzling is how exactly they were hacked.
They should eventually come out with a full report you’d think, but if it was the case through access of their private key, then perhaps decentralized exchanges need to learn some of the lessons that centralized exchanges learned back when.
It is of course difficult to secure cryptos, but not impossible. Coinbase, for example, has never been hacked because they’ve taken security very seriously.
Nor is it rocket science. You chop the private keys into many different components and you store them in many different places so as to effectively make it pretty much impossible for any individual, whether rogue employee or external hacker, to have the full private key.
That’s conceptually not much different than storing your data in many nodes. Rather than having one key (centralized), you decentralize it through Shamir’s secret.
You can’t easily do that if a hot wallet is required for the service, but arguably decentralization can be applied there too by having many hot wallets rather than just one.
Something which appears is a lesson that needs to be learned again and again whenever new exchanges pop up in some Asian country or now in decentralized exchanges.
That said, we have not be able to confirm this was through access to the private key, but a compromise of the “wallet” can’t mean much else. So we look forward to some in-depth details on this hack so that the entire industry can learn.