A vulnerability has been discovered in Bancor, which is an onchain liquidity protocol for both Ethereum and EOS. The flaw is in the new smart contract v0.6 that was released a few days ago.
Last night at 12:00AM GMT, a vulnerability was discovered in a new version of the BancorNetwork v0.6 smart contract deployed on June 16 2020.
All user funds are safe.
We have deployed a new version of the BancorNetwork contract that fixes the vulnerability.
— Bancor (@Bancor) June 18, 2020
The Bancor protocol allows managing and integrating the liquidity of the Ethereum and EOS blockchains so that each token can have its own liquidity and create its own liquidity pool without problems.
This pool system, however, has some minor disadvantages as it could result in a loss due to an imbalance between one token and another and is therefore inconvenient for users as they would spend too much to rebalance the pool.
To solve this type of problem, called impermanent loss, Bancor has set to work and with Chainlink has developed a new system that allows adjusting prices thanks to this type of oracle and thus limiting exposure to only one token.
Obviously, such a system has to be tested and in fact, it’s been over 2 months that Bancor has been doing tests for Bancor v2, which should arrive next month.
But, before releasing this update, Bancor had released Bancor Network v0.6, a few days ago to prepare the groundwork for the new system.
At this point, after several tests, the new smart contract was activated a couple of days ago, on June 16th, but in the last hours, the team has detected a vulnerability (rumoured to be an unauthenticated safeTansferFrom) within the system that would have allowed to steal all the funds.
However, the funds are safe and no one has lost anything, at least that’s what was stated on the various social networks of Bancor, that also provided a procedure to check whether a wallet was involved in the vulnerability.
All those who have interacted with these smart contracts can use this website to check.
What to do in case of vulnerability
If one of these smart contracts is found to have interacted with your wallet, press the purple “Decline for Contract” button and confirm the transaction.
Subsequently, you must go to Bancor’s support page and open a report providing your address so that the funds can be transferred to the rightful owner.
In short, the team seems to have intervened promptly and no one has lost funds, at least for the moment.