Innovation is never easy. That said, sometimes it can be that much harder.
Such was the case for crypto project Bancor this week, which saw its design decisions and strategy picked apart on social media as it sought to contain the damage from a multimillion-dollar hack.
On Monday, the project announced its app was down for maintenance, and shortly after, it revealed a security breach had taken place. At the time, the project assured no user wallets were compromised. (The startup has since brought its platform back online.)
Then on Tuesday morning, Bancor published details of the breach: a wallet used to upgrade smart contracts was compromised and used to steal 3.2 million of the platform’s own BNT tokens (worth $10 million), 25,000 ETH (about $12.5 million) and 230 million NPXS tokens ($1 million). Perhaps most notably, Bancor said it had frozen BNT tokens to prevent their loss.
Some background: it was Bancor that raised a then-record-breaking $153 million in a token sale, which saw participation from investors like Tim Draper and the investment firm Blockchain Capital. The startup pitched itself as a kind of “decentralized” market maker for smaller cryptocurrencies and crypto-assets, as well as means to create wholly new tokens.
As an early mover in using the initial coin offering (ICO) funding model, Bancor has long been a magnet for critiques.
Critics have alleged everything from that the platform is unnecessary to that it doesn’t need a blockchain. Sparking discussion of these topics this time around is a crucial detail above: that Bancor was able to quickly stem losses in the cryptocurrency it created and issued.
Included in the Bancor code is a mechanism that allows the company the ability to freeze movements of the BNT token – something that critics quickly pounced on as the antithesis of the “decentralization” mantra, by which a network wouldn’t have one governing force.
Bancor has frequently been referred to as a “decentralized exchange,” a moniker that added fuel to those arguments.
Some were more detailed in their critiques, though, including developer Udi Wertheimer who reminded to the community that the centralization issue was well known long ago – and criticized.
On June 20 of last year, Wertheimer wrote in a Medium post that both Bancor’s token and ICO contracts allow Bancor to arbitrarily issue, freeze and even destroy any BNT tokens whenever they want.
“I trust that Bancor’s team won’t try to misuse this backdoor. However, having so much power concentrated centrally, creates a potential single point of failure. The keys held by the team could be stolen for example. Or, law enforcement could force the project to freeze or destroy tokens if they realize this is possible (and if for some reason they would suspect any wrongdoing),” Wertheimer wrote at the time.
Back then, the Bancor’s team responded to the critique saying that the danger of the team losing its key is “quite far-fetched,” as they are keeping the keys securely, using multi-sig contracts and offline wallets.
As might be expected, that pledge was brought up in the wake of the hack.
Wertheimer further argued that such “backdoor” mechanisms that undermine the decentralization principles in Bancor could also cause the current breach, as the compromised wallet existed for the purpose of upgrading smart contracts – another feature allowing Bancor to manage the network in a more centralized manner.
Voices of support
Critiques aside, not everyone on social media took aim at Bancor.
Indeed, some took to social media to back Bancor’s efforts to build their platform in the face of such issues.
Still, the company persevered through the tough week.
Following the attack, it has issued a number of statements seeking to clarify its actions, including its ability to exert control of the BNT tokens.
Stressing once again that user funds weren’t compromised, Bancor said that the funds were stolen out of a BNT’s connector balance that served as a reserve, and smart contracts accessed by that wallet.
Bancor also defended its decision and ability to freeze BNT tokes as “necessary to protect the network and token holder in a state of emergency:
Later, in a July 12 blog post entitled “The Road Ahead,” co-founder Guy Benartzi didn’t address the decentralization critiques but outlined how Bancor would make available its internal tools to assist in tracking the stolen funds.
“This incident, while troubling, will not divert us from our goals. If anything, we will now redouble our efforts and accelerate our roadmap so that criminals will not prevent Bancor and the industry from achieving our most important of missions — to enable freedom of currency,” he wrote.
USB stick image via Shutterstock
fbq('init', '472218139648482'); fbq('track', "PageView");