For about 16 hours now, a known @Bancor vulnerability allows transferring tokens from people that used contracts v0.6. To avoid this, those who traded on this DEX should revoke their token approvals. So, let’s look at those who are still at risk.
Currently, 95 addresses allow malfunctioned Bancor contracts to do transfers from them. This means that as soon as one of the addresses receives a token, it can be immediately transferred by attackers or the Bancor team.
Good news, 15 of them are contracts: arbitrage bots, @1inchExchange, @DEXAG_TokenWire, and @KyberNetwork which receive and send tokens atomically - within one transaction. Due to this, tokens do not remain on the balance sheet and are not available for a transfer to an attacker.
Among the tokens available for transfer by a hacker, there are quite popular ones that have good liquidity, like BNT, DAI, BAT. A quick analysis of non-contracted addresses showed that there were no whales among them.
It will be good if the funds do not fall into the hands of attackers, and the frontrunners return the tokens to their rightful owners. Hopefully, DeFi in general will learn from this and will not trust the audit of smart contracts by unknown companies such as Kanso Labs.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.