A critical bug in three recently deployed versions of the Bancor Network smart contract has led to a loss of user funds.
Due to the bug, all Bancor Network users who did direct swap of their ERC20 assets shortly after the deployment of the smart contracts, made infinite approvals of their tokens to one of these smart contracts. And the smart contracts had a public method that allowed anyone to use these approvals to steal user funds.
It is still unsafe for users to hold tokens in the wallets before they cancel their infinite approvals. Users should use https://apporved.zone to see all ERC20 approvals to the vulnerable Bancor smart contracts.
Apparently, the Bancor Team or some white hackers discovered this issue before anyone could begin draining user wallets and made attempts to rescue user funds by withdrawing them from user wallets.
Subsequently, two automatic front-runners joined in, helping the Bancor Team to withdraw funds from user wallets. We discovered contact information of all the front-runners and we believe they potentially agree to return the stolen funds since their automatic software is not able to distinguish an arbitrage opportunity from hacking.
We used Dune Analytics to analyze all the smart contract calls: https://explore.duneanalytics.com/dashboard/bancor-hack
As a result, we discovered the following vulnerable smart contracts:
And these are Bancor Team wallets used for the withdrawal of user funds:
Finally, these front-runner wallets were used to withdraw funds:How it worked
On June 18, at 03:06 am UTC, the Bancor team began to exploit a breach by producing batched transactions with temporary smart contracts (0xdba03739b4a29594fd3c89881caffa1862ce4bd630ed5f849b9f22707332e59e). They conducted 62 transactions, withdrawing a total of $409,656.
An automatic front-runner registered with the email address [email protected]