The newest release of the Bancor decentralized exchange appears to be vulnerable to a very serious bug that can result in a significant loss of user funds.
According to the tweet posted by Bancor on June 18, the vulnerability affects the latest version of the BancorNetwork smart contract, which was launched on June 16.
Users who traded on Bancor and gave a withdrawal approval to its smart contract are urged to revoke it through a specialized website, approved.zone.
The team revealed that after discovering the vulnerability, they “attacked the contract as a white-hack” to migrate funds at risk to a secure location. Presumably, the team used the aforementioned vulnerability to do so, meaning that an attacker could have drained a significant portion of user funds.
Hex Capital tweeted that the issue resulted from the possibility of calling a “safeTransferFrom” without the proper authorization. This function is one of the key elements of the ERC-20 contract, as it allows a smart contract to withdraw a certain allowance without requiring user interaction.
Hex Capital speculated that the team was “too late in many cases” to save funds. However, according to an investigation by the 1inch.exchange team, this is to blame on front-runners.Front-runners “steal” some of the money
The 1inch.exchange team found at least two publicly known front-runners that began copying the Bancor’s team transactions as soon as they began. The front-running bots were set up to take advantage of arbitrage opportunities, and were “not able to distinguish arbitrage opportunity from hacking,” the team wrote.
However, all of the front-runners who joined have publicly listed contact information, which should mean that they would be willing to return the money. One of the front-runners already pledged to return the money. The portion that went to the front-runners is significant though, with the 1inch team writing:“The Bancor team rescued $40...