In a statement published hours ago, Israeli-based cryptocurrency exchange Bancor fessed up to a security incident following which a hacker made off with roughly $13.5 million worth of cryptocurrency.
The hack took place yesterday, July 9, at 00:00 UTC, according to Bancor, after an unknown intruder(s) gained access to one of the company's wallets.
This was a big deal because Bancor doesn't run as a classic exchange platform, but uses a complex mechanism based on smart contracts running on the Ethereum platform to move funds at a quicker pace than classic exchange platforms.
The compromised wallet also granted the attacker access to updating the smart contracts responsible for converting user funds.
Bancor says the hacker used this access to withdraw 24,984 Ether (ETH) coins (~$12.5 million) from Bancor smart contracts and sent the Ether to his own private wallet.
Similarly, he also withdrew 229,356,645 Pundi X (NPXS) coins, worth another $1 million.
The hacker also withdrew 3,200,000 Bancor tokens (BNT) (worth around $10 million), which Bancor had issued last year as part of its ICO that raised over $150 million, but Bancor says a security feature in Bancor tokens allowed it to freeze the funds and prevent the hacker from cashing it out at other exchanges.
"It is not possible to freeze the ETH and any other stolen tokens," Bancor says. "However, we are working together with dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for their thief to liquidate them."
Bancor said the hacker didn't compromise any user wallets. The theft appears to have affected only Bancor's reserves, which the company held to facilitate the cryptocurrency exchange process.
Bancor did not reveal how the hack took place but promised more updates in the following days via its website and its Twitter account. Bancor's platform is currently down and undergoing maintenance work.
This morning (CEST) Bancor experienced a security breach. No user wallets were compromised. To complete the investigation, we have moved to maintenance and will be releasing a more detailed report shortly. We look forward to being back online as soon as possible.— Bancor (@Bancor) July 9, 2018
Last year, a security researcher criticized the Bancor platform for using smart contracts that contained several security flaws.
Below is Bancor's initial statement regarding yesterday's security breach.