Complaints from users keep on rising about Bancor Exchange’s funds frozen.
And to think that a few days ago Vitalik Buterin’s position had caused quite the ruckus: “I would like all centralized exchanges to burn in hell”.
The creator of Ethereum had also proposed DEX as the best alternative. A few hours later, however, a decentralized exchange suffered a hacker attack.
Yesterday morning, in fact, Bancor announced on Twitter that the site would be under maintenance, except to add then a news on the hacker attack:
“This morning (CEST) Bancor has suffered a security breach. No user wallets have been compromised. To complete the investigation, we have moved on to maintenance and will be releasing a more detailed report shortly. We look forward to being back online as soon as possible. “
Within a few hours, the price of the BNT token fell 20%. The price fluctuated around the monthly highs of $ 3.24, but the news brought it down to 2.51 $.
Social media users have started posting the account addresses on which the funds stolen by Bancor have been deposited. It turns out that hackers have managed to steal more than 25,000 ETHs, 2.5 million BNTs.
Bancor then published an official statement in which he confirmed the attack.
The hacker managed to enter the wallet dedicated to the upgrade of some smart contracts.
“A wallet used to update some smart contracts has been compromised. This compromised wallet was then used to withdraw ETH from the BNT smart contract in the amount of 24,984 ETH (~ $ 12.5 million). The same wallet also stole:
229,356,645 NPXS (~ $ 1M) and 3,200,000 BNT (~ $ 10 million) “
But what created controversy was not so much the hacker attack itself as the fact that Bancor announced the freezing of the stolen BNT tokens.
“Once the theft was identified, we were able to freeze the stolen BNTs, limiting the damage to Bancor’s ecosystem from the theft.”
The ability to freeze tokens has been incorporated into the Bancor protocol to be used in an extreme situation like yesterday.
This feature allows the company to “recover from a security breach, allowing Bancor to effectively stop the thief from escaping with the stolen tokens.”
It was not possible to freeze ethereum and NPXT tokens, but communication with other cryptocurrency exchanges was established to track the funds and make the withdrawal from hackers more difficult. However, it has been repeatedly reiterated on various social media that user funds are safe and have not been compromised by the attack.
The accusation against DEX
The influential figures in the industry have accused Bancor of not being a decentralized exchange, considering his ability to exercise a central power that he expressed in freezing the tokens.
The creator of DogeCoin wrote: “The key thing here is not the hack itself: it’s the fact that the Bancor team has had the opportunity to freeze the funds. How many other decentralized DApps have a centrally controlled built-in kill switch? “
The key thing here is not the hack itself – it's the fact the Bancor team had the ability to freeze funds. How many other "decentralized" DApps have a built-in kill switch that's centrally controlled? https://t.co/3XtULafGRD
— Jackson Palmer (@ummjackson) July 9, 2018
Palmer adds that even Kyber Network, another decentralized exchange, has incorporated a function that allows the network to be stopped
Starting a thread here of "decentralized" DApps/exchanges etc. that have a centralized kill switch or control. Let's start with @KyberNetwork … looks like they can halt the network, per https://t.co/4qOH6Pw8Yf pic.twitter.com/hT70ZjS9Py
— Jackson Palmer (@ummjackson) July 9, 2018
Charlee Lee of Litecoin wrote: “A Bancor wallet has been hacked and that wallet has the ability to steal tokens from its smart contracts. An exchange is not decentralized if it can lose customers ‘funds or if it can freeze customers’ funds. Bancor can do BOTH. It’s a false sense of decentralization. “
A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. ????♂️
An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It's a false sense of decentralization. https://t.co/22UYygIhEF
— Charlie Lee [LTC⚡] (@SatoshiLite) July 10, 2018
Bancor’s defense
Bancor defends itself by saying that the ability to block tokens to recover from a breach of security has always been public and is only enabled in extreme cases such as a hacker attack and that precautions were taken already last year when Yudi Levi Bancor’s CTO decided to draw conclusions from the DAO attack and implement additional security regulations to prevent this type of attack.
Omri Cohen from the Bancor team told Telegram yesterday: “BNT is still being managed by the Bancor Foundation. Releasing a new token standard on a blockchain that does not support upgradeable smart contracts is incredibly dangerous without some level of control. We have learned the dangers of what happened in the DAO hack. Full decentralization is the purpose, not the beginning. “
Nate Hindman, head of communications, told Cointelegraph that hackers are becoming “more mature and sophisticated along with industry and projects’’ , but that collaboration between cryptocurrency exchanges could eradicate cybercriminals: “Together we stand in our efforts to create better tools that prevent thieves from committing crimes and utilizing stolen funds, and better processes for analyzing situations and informing users and relevant parties when they occur.”
Bancor’s ability to freeze tokens to recover from a security breach has always been public.
It is nothing new or secret.
The ecosystem is still in its beta phase and until it is fully tested and stable, it is a good practice to keep smart contracts upgradable in case of critical bugs and equipped with a security switch in case of attacks Bancor smart contract automaically upgrades in two years (3 from luanch) to is immutable state.
Other tokens that include the freeze function are EOS, Tron, OmiseGo, Augur, Icon, Aelf, Qash, Enigma and Maker.
The world of cryptocurrencies is increasingly implementing these freeze techniques to have the possibility to limit the damage created by hackers and the opinion on the legitimacy of these backdoors are divided.
Considering, however, the growing number of teams that choose this option, this type of user protection could become a fairly common practice in the blockchain world.
“Since there is no effective decentralized governance, STILL, the smartest way to launch anything decentralized is to be on the road to decentralization, with an appreciation for today’s shortcomings.”
Since there is no effective decentralized governance, YET, the smartest way to launch a decentralized anything, is to be on the path to decentralization, with an appreciation for today’s shortcomings. https://t.co/rgLgcLutRU
— Lou Kerner (@loukerner) July 10, 2018