$13.5 Million Hack Ignites Fresh Debate Over Crypto Project Bancor

The security breach of a well-funded blockchain project renewed critiques against its technology this week.

AccessTimeIconJul 15, 2018 at 10:40 a.m. UTC
Updated Sep 13, 2021 at 8:10 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

Innovation is never easy. That said, sometimes it can be that much harder.

Such was the case for crypto project Bancor this week, which saw its design decisions and strategy picked apart on social media as it sought to contain the damage from a multimillion-dollar hack.

, the project announced its app was down for maintenance, and shortly after, it revealed a security breach had taken place. At the time, the project assured no user wallets were compromised. (The startup has since brought its platform back online.)


Then on Tuesday morning, Bancor published details of the breach: a wallet used to upgrade smart contracts was compromised and used to steal 3.2 million of the platform's own BNT tokens (worth $10 million), 25,000 ETH (about $12.5 million) and 230 million NPXS tokens ($1 million). Perhaps most notably, Bancor said it had frozen BNT tokens to prevent their loss.

Some background: it was Bancor that raised a then-record-breaking $153 million in a token sale, which saw participation from investors like Tim Draper and the investment firm Blockchain Capital. The startup pitched itself as a kind of "decentralized" market maker for smaller cryptocurrencies and crypto-assets, as well as means to create wholly new tokens.

As an early mover in using the initial coin offering (ICO) funding model, Bancor has long been a magnet for critiques.

Critics have alleged everything from that the platform is unnecessary to that it doesn't need a blockchain. Sparking discussion of these topics this time around is a crucial detail above: that Bancor was able to quickly stem losses in the cryptocurrency it created and issued.

Included in the Bancor code is a mechanism that allows the company the ability to freeze movements of the BNT token – something that critics quickly pounced on as the antithesis of the "decentralization" mantra, by which a network wouldn't have one governing force.

Bancor has frequently been referred to as a "decentralized exchange," a moniker that added fuel to those arguments.


Backdoor blues

Some were more detailed in their critiques, though, including developer Udi Wertheimer who reminded to the community that the centralization issue was well known long ago – and criticized.

On June 20 of last year, Wertheimer wrote in a Medium post that both Bancor's token and ICO contracts allow Bancor to arbitrarily issue, freeze and even destroy any BNT tokens whenever they want.

"I trust that Bancor's team won't try to misuse this backdoor. However, having so much power concentrated centrally, creates a potential single point of failure. The keys held by the team could be stolen for example. Or, law enforcement could force the project to freeze or destroy tokens if they realize this is possible (and if for some reason they would suspect any wrongdoing)," Wertheimer wrote at the time.

Back then, the Bancor's team responded to the critique saying that the danger of the team losing its key is "quite far-fetched," as they are keeping the keys securely, using multi-sig contracts and offline wallets.

As might be expected, that pledge was brought up in the wake of the hack.


Wertheimer further argued that such "backdoor" mechanisms that undermine the decentralization principles in Bancor could also cause the current breach, as the compromised wallet existed for the purpose of upgrading smart contracts – another feature allowing Bancor to manage the network in a more centralized manner.


Voices of support

Critiques aside, not everyone on social media took aim at Bancor.

Indeed, some took to social media to back Bancor's efforts to build their platform in the face of such issues.


One observer suggested that those criticizing Bancor might feel differently if it was their funds at risk following a hack.


Bancor response

Still, the company persevered through the tough week.

Following the attack, it has issued a number of statements seeking to clarify its actions, including its ability to exert control of the BNT tokens.

Stressing once again that user funds weren't compromised, Bancor said that the funds were stolen out of a BNT's connector balance that served as a reserve, and smart contracts accessed by that wallet.

Bancor also defended its decision and ability to freeze BNT tokes as "necessary to protect the network and token holder in a state of emergency:


Later, in a July 12 blog post entitled "The Road Ahead," co-founder Guy Benartzi didn't address the decentralization critiques but outlined how Bancor would make available its internal tools to assist in tracking the stolen funds.

"This incident, while troubling, will not divert us from our goals. If anything, we will now redouble our efforts and accelerate our roadmap so that criminals will not prevent Bancor and the industry from achieving our most important of missions — to enable freedom of currency," he wrote.

USB stick image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.