The highest-profile cryptocurrency platform has been hacked multiple times over the last month, with losses amounting to more than 3 million USD. According to a blog post by Hong Kong-based blockchain security firm PeckShield Inc., the vulnerability of a smart contract known as `bancorConverter` was exploited multiple times by hackers.
An estimated 3 million USD in Multichain Losses has been reported
An estimated 3 million USD in cryptocurrency has been lost in the latest hacking incidents, with the vulnerable smart contracts yet to be patched.
The news comes just days after a report that hackers stole 585 million USD worth of Ether (ETH) from one exchange alone on Monday. The stolen funds were then used to buy up all available ETH for sale, causing its value to drop by 30 percent before recovering slightly later that day.
PeckShield Inc. Reports Vulnerability
According to a blog post by Hong Kong-based blockchain security firm PeckShield Inc., the vulnerability of a smart contract known as `bancorConverter` was exploited multiple times by hackers.
The total loss is reportedly much higher than what we previously reported: according to PeckShield’s research team leader Lee Ting-Feng, the hackers were able to steal over 3 million dollars worth of cryptocurrency from single accounts.
Hackers Withdraw Approximately 9000 Ethereum (ETH)
The hackers were able to withdraw approximately 9,000 Ethereum (ETH) and some smaller transactions valued at approximately 1,000 BNT (the Bancor Network Token) and 24,984 Pundi X tokens.
However, the losses reported by the exchange aren’t necessarily related to this hack. According to reports from Bloomberg News and CoinDesk , there have been multiple other hacks in recent months involving cryptocurrencies on exchanges across Asia including those run by Japan’s Coincheck Inc., Hong Kong-based Gatecoin Ltd., South Korea-based Coinone Exchange Inc., China’s Yunbi Group Co. Ltd. and India’s Coinsecure .
Vulnerabilities Remain Unpatched
PeckShield Inc. noted that despite investigating the first hack on July 9, the vulnerabilities remain unpatched, with two different hacks taking place.
The company’s CTO reported that their engineers first found out about a vulnerability in their smart contract on July 10 and reported it to Bancor Inc., who confirmed they had patched it within 24 hours. However, PeckShield says they were still unable to access funds after an attack by hackers took place again later that day (on July 11).
The same day, PeckShield learned through some fresh evidence that there may be more than one hacker involved in this whole mess—a fact which is allegedly supported by independent forensic analysis of data from both hacks conducted by PeckShield itself as well as its partners at Chainalysis Inc., who helped analyze how much was stolen during each event through its proprietary tool called “DataVault.”
PeckShield said that the `bancorConverter` smart contract does not employ a controllable fixed rate for conversions and rather is calculated based on the user’s current token reserves, which enables attackers to steal assets from other users.
The hack works by using a user’s funds to purchase an asset in order to make an exchange when they do not have enough of their own tokens. This means that anyone who uses this service could be at risk of being hacked if there are any malicious parties out there who can manipulate their account balances or use multiple accounts at once.
The PeckShield team has been working on finding solutions since its discovery last year but it hasn’t been easy because most blockchain projects don’t have good security measures in place yet (less than 20%).
Bancor Patched Its System
While Bancor has patched its system following the initial hack at a code level, the security firm said that it was still vulnerable despite its lack of activity on the network level:
It will be interesting to see how Bancor responds to this report. If nothing else, the hacker has shown that there are still vulnerabilities in the system and they need to address them before they can claim safety from future hacks.