Bancor announced on Monday via tweet that "a wallet used to upgrade some smart contracts was compromised," and a total of roughly $23.5 million-worth of Ether, Pundi X (NPXS) tokens, and Bancor Network tokens (BNT) were stolen. Roughly $10 million was in BNT. In response, Bancor used its authority to freeze the stolen BNT, preventing the thief from running away with that value.
Bancor is a blockchain protocol that circumvents the need for cryptocurrency exchanges like Coinbase by allowing users to convert tokens directly and instantly through its EDCCs (or smart contracts). When the company launched its ICO in June 2017, it raised a record-breaking $153 million in less than three hours. Bancor's market capitalization is almost $140 million, and in a recent blog post celebrating its 1 year anniversary, it touted "$1 billion in token conversions between more than 27,000 unique wallet addresses, achieving over $21 million in daily conversions on peak days."
Despite its evident popularity, Bancor's protocol has been controversial from day one due to the centralized nature of its native coin. Critics of the technology argue that the company can create, destroy, and freeze tokens at will, requiring a great deal of user trust in one entity for a technology that claims to be decentralized.
Bancor's twitter feed suggests more than a few people were unsurprised by the attack, and scoffed at the company's choice to freeze the funds.
Moreover, the hack was apparently achieved through a compromised wallet that allowed Bancor to update EDCCs. The fact that Bancor's wallet is capable of updating EDCCs is in and of itself a controversial facet of Bancor's protocol, since one of the key selling points of a blockchain technology is its immutable nature.
Meanwhile, Bancor is standing by its protocol, and lauding the $10 million in BNT that it was able to save due to its centralized power. In a tweet that it quickly deleted, Bancor linked to a June 2017 article wherein Bancor chief technical officer Yudi Levi described the company's strategy to avoid crises like Ethereum's DAO hack. This included the company's choice to have upgradable smart contracts, despite the centralized control that created.
However, and this is potentially why Bancor quickly deleted its tweet, the Levi article states that the upgradable smart contracts were to exist only during the pilot phase, and this attack comes more than a year after the launch of the protocol.
Bancor also tweeted to reassure users that their funds are safe.
Bancor's website and services are still down. All of Bancor's web addresses are rerouted to a page that tells users it is "doing some maintenance," and reassures users their funds are safe. The message seems targeted at critics of the technology who worry Bancor's power to create, destroy, and freeze coins may threaten their funds.