Yesterday, Israel-based cryptocurrency exchange Bancor revealed that their platform had been broken into by hackers, resulting in the loss of 24,984 ETH — about $12.5 million — from one of the company’s reserves. The thieves also stole roughly $1 million in NPXS tokens from the exchange. Bancor claims that no user wallets were accessed during the heist, and that all lost funds were taken from the company’s internal wallets.
The hackers also briefly gained access to 3.2 million Bancor tokens (BNT) — worth around $10 million — but the exchange was able to freeze those funds using a security feature within the Bancor Protocol. While it is not possible to freeze ETH or NPXS tokens, Bancor claims to be “working together with dozens of cryptocurrency exchanges” to trace the stolen tokens, making it more difficult for the thieves to sell them on the open market. The exchange is currently offline while Bancor — and presumably the Israeli authorities — investigate the hack.
Few specifics about the theft have been made public, but Bancor has confirmed that the attack began when a wallet used to upgrade their system’s smart contracts was compromised. The exchange’s platform avoids traditional counterparties completely, and relies instead on a complex smart-contract settlement system. In theory, this allows Bancor to settle trades more quickly and efficiently, but this unique mechanism may also be to be blame for Monday’s hack. Once the thieves had access to this smart-contract controlling wallet, they were able to manipulate Bancor’s own smart contracts to send themselves other tokens.
Bancor’s security practices have long been the subject of intense criticism, including a scathing June 2017 post on Medium from cryptocurrency developer Udi Wertheimer. While the bulk of Wertheimer’s post focuses on the many “backdoors” contained within the Bancor protocol — the exchange can freeze, create, and even destroy anyone’s BNT tokens at will — he also noted the specific threats the protocol could present to exchanges “if the [Bancor] team’s keys are compromised” due to how their smart contracts are structured. It’s possible that an enterprising hacker read Wertheimer’s analysis, and decided to test Bancor’s system directly.
The irony of the situation was summed up by Litecoin creator (and noted Bancor critic) Charlie Lee, who noted shortly after the hack was announced: “A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts.”
Although no customer funds appear to have been stolen in the theft, the Bancor hack should still serve as a reminder that using an exchange as a wallet provider is a completely unnecessary risk for anyone involved with cryptocurrency. The vast majority of security experts agree that the best solution for token storage is to keep your ETH, BTC, and other cryptocurrencies in an offline, tethered hardware wallet. This reliable, affordable tool prevents even the most sophisticated hackers from accessing your token balances.