$13.5 Million Hack Ignites Fresh Debate Over Crypto Project Bancor

The security breach of a well-funded blockchain project renewed critiques against its technology this week.

AccessTimeIconJul 15, 2018 at 10:40 a.m. UTC
Updated Aug 18, 2021 at 9:26 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Innovation is never easy. That said, sometimes it can be that much harder.

Such was the case for crypto project Bancor this week, which saw its design decisions and strategy picked apart on social media as it sought to contain the damage from a multimillion-dollar hack.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • , the project announced its app was down for maintenance, and shortly after, it revealed a security breach had taken place. At the time, the project assured no user wallets were compromised. (The startup has since brought its platform back online.)

    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-15-53-15

    Then on Tuesday morning, Bancor published details of the breach: a wallet used to upgrade smart contracts was compromised and used to steal 3.2 million of the platform's own BNT tokens (worth $10 million), 25,000 ETH (about $12.5 million) and 230 million NPXS tokens ($1 million). Perhaps most notably, Bancor said it had frozen BNT tokens to prevent their loss.

    Some background: it was Bancor that raised a then-record-breaking $153 million in a token sale, which saw participation from investors like Tim Draper and the investment firm Blockchain Capital. The startup pitched itself as a kind of "decentralized" market maker for smaller cryptocurrencies and crypto-assets, as well as means to create wholly new tokens.

    As an early mover in using the initial coin offering (ICO) funding model, Bancor has long been a magnet for critiques.

    Critics have alleged everything from that the platform is unnecessary to that it doesn't need a blockchain. Sparking discussion of these topics this time around is a crucial detail above: that Bancor was able to quickly stem losses in the cryptocurrency it created and issued.

    Included in the Bancor code is a mechanism that allows the company the ability to freeze movements of the BNT token – something that critics quickly pounced on as the antithesis of the "decentralization" mantra, by which a network wouldn't have one governing force.

    Bancor has frequently been referred to as a "decentralized exchange," a moniker that added fuel to those arguments.

    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-16-01-27
    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-16-03-01

    Backdoor blues

    Some were more detailed in their critiques, though, including developer Udi Wertheimer who reminded to the community that the centralization issue was well known long ago – and criticized.

    On June 20 of last year, Wertheimer wrote in a Medium post that both Bancor's token and ICO contracts allow Bancor to arbitrarily issue, freeze and even destroy any BNT tokens whenever they want.

    "I trust that Bancor's team won't try to misuse this backdoor. However, having so much power concentrated centrally, creates a potential single point of failure. The keys held by the team could be stolen for example. Or, law enforcement could force the project to freeze or destroy tokens if they realize this is possible (and if for some reason they would suspect any wrongdoing)," Wertheimer wrote at the time.

    Back then, the Bancor's team responded to the critique saying that the danger of the team losing its key is "quite far-fetched," as they are keeping the keys securely, using multi-sig contracts and offline wallets.

    As might be expected, that pledge was brought up in the wake of the hack.

    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-16-09-00

    Wertheimer further argued that such "backdoor" mechanisms that undermine the decentralization principles in Bancor could also cause the current breach, as the compromised wallet existed for the purpose of upgrading smart contracts – another feature allowing Bancor to manage the network in a more centralized manner.

    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-16-14-03
    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-16-16-49

    Voices of support

    Critiques aside, not everyone on social media took aim at Bancor.

    Indeed, some took to social media to back Bancor's efforts to build their platform in the face of such issues.

    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-16-21-34

    One observer suggested that those criticizing Bancor might feel differently if it was their funds at risk following a hack.

    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-16-22-59
    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-10-%d0%b2-16-26-41

    Bancor response

    Still, the company persevered through the tough week.

    Following the attack, it has issued a number of statements seeking to clarify its actions, including its ability to exert control of the BNT tokens.

    Stressing once again that user funds weren't compromised, Bancor said that the funds were stolen out of a BNT's connector balance that served as a reserve, and smart contracts accessed by that wallet.

    Bancor also defended its decision and ability to freeze BNT tokes as "necessary to protect the network and token holder in a state of emergency:

    %d0%a1%d0%bd%d0%b8%d0%bc%d0%be%d0%ba-%d1%8d%d0%ba%d1%80%d0%b0%d0%bd%d0%b0-2018-07-11-%d0%b2-11-27-33

    Later, in a July 12 blog post entitled "The Road Ahead," co-founder Guy Benartzi didn't address the decentralization critiques but outlined how Bancor would make available its internal tools to assist in tracking the stolen funds.

    "This incident, while troubling, will not divert us from our goals. If anything, we will now redouble our efforts and accelerate our roadmap so that criminals will not prevent Bancor and the industry from achieving our most important of missions — to enable freedom of currency," he wrote.

    USB stick image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.