Decentralized on-chain liquidity protocol Bancor, one of the oldest and most successful DeFi products, published an official report on a codebase bug.
Private function was made public
According to a statement from the Bancor team, the vulnerability appeared in the BancorNetwork v0.6 contracts that were deployed two days ago, on June 16, 2020.
One function of the contract, ‘safeTransferFrom’, which should have been restricted to the contract alone, was made public. As a result, this breach allowed anyone to transfer tokens approved only for certain contracts to transfer.
The team unveiled that, in order to explore the possible influence of this bug, a white-hat hack was organized. But unfortunately, two more arbitrage bots, that detected this vulnerability managed to front-run legitimate transactions with profits of $135,229.
The Bancor team has already contacted the operators of these bots and is negotiating the process of refunds in exchange for bug bounty.
Users should revoke the transaction approvals
As per the emergency statement, all Bancor users who transacted within the past 48 hours should revoke their approvals on three Bancor contracts affected by the disclosed problem. They can do so through the Bancor network itself or with the Metamask wallet.
Also, the emergency operations can be carried out manually via specially designed websites. The Bancor team released detailed instructions on how to mitigate the effects of the breach.
It is emphasized by the project that trading is now back to normal. Also, this incident won’t in any way affect the upcoming release of the Bancor V2 upgrade.
At press time, the native asset of the protocol, Bancor Network Token (BNT) is changing hands at $0.77 on major spot platforms, 8.34% down in 24 hours.