Balancer Pool suffered sophisticated hacker attacks that left the decentralized finance protocol with over half a million dollars in losses.
An unidentified attacker exploited the vulnerability of the DeFi protocol Balancer and stole over $500.000 worth of tokens during two attacks that took place within 24 hours.
As Balancer co-founder and CTO Mike McDonald reported on Monday, the first incident occurred on June 29, when hackers drained around $500.000 worth of Ethereum and other tokens from the DeFi liquidity provider Balancer. A second attack with the losses of $2.300 appeared a few minutes later.
The balancer is a decentralized Automated Market Maker (AMM) that is generated by an algorithm to provide liquidity by simultaneously quoting buy or sell prices for assets on exchanges. The dApp provides depth to the market and profits from the price difference in buying and selling.
According to the analysis from the 1inch DEX aggregator team, the attack was done “by using a vulnerability in the context of AMM and token with a deflationary model.”
The flash loan used to exploit the system
The attacker used a smart contract to automate multiple actions in a single transaction, the 1inch reported. He first took a flash loan of over $23.6 million worth of Wrapped Ether (WETH) tokens from dYdX.
A flash loan is an innovative form of loan that is borrowed and repaid in one single transaction. It does not require any collateral and allows borrowing giant amounts of funds, however, the borrower needs to repay the borrowed amount together with a small fee.
The attacker thus took the loan of 104k WETH tokens, which are used instead of ETH for P2P trading for other tokens of ERC-20 standard. The hacker then swapped WETH tokens to Statera (STA) tokens 24 times in a row completely draining the STA balance.
STA token is a deflationary token with the 1% transfer fees and is removed from the market over time. According to the analysts:
It was possible because the Balancer Pool contract keeps track of token balances in the contract and STA token had a deflationary model with a transfer fee of 1% charged from a recipient [...] So every time the attacker swapped WETH to STA, the Balancer Pool received 1% less STA than was expected.
After draining the STA balance nearly to zero (or to “weiSTA” – one billionth of a token) the attacker swapped it multiple times back to WETH. The Balancer protocol, regardless, accepted it and released the amount of WETH tokens that matched the original balance, however, it never received an equal amount of STA. “The same step was repeated to drain WBTC, SNX and LINK token balances from the pool”, 1inch analysts added.
After the attacker repaid the flash loan of 104 WETH tokens, he exchanged the worthless STA tokens to Balancer Pool Token (BPT) and then back to WETH tokens by Uniswap exchange. As the 1inch summarizes:
In the result of the attack Balancer Pool lost nearly $500k, while the hacker got almost $425k worth of tokens.
Although the identity of the attacker is unknown, the analyst agrees that the attack was done by a sophisticated smart contract engineer that has extensive knowledge of the leading DeFi protocols.
Was it possible to prevent an attack?
In a meantime, there come accusations to the Balancer team that the smart contract hacks, emerging on the DeFi space lately, could be prevented this time as the team was warned few months before about the critical bug that “Balancer Pool contract does not double-check its actual token balance before performing a swap”.
The Balancer team first denied suspecting that such hacking was possible and claimed, it has consistently warned about the “unintended effects” of deflationary tokens:
Although we were not aware this specific type of attack was possible, we have consistently in our docs, discord, and other channels warned about the unintended effects ERC20s with transfer fees could have in the protocol.
However, the company later apologized and agreed to cover the losses of all the users who lost their funds in the attack. Furthermore, the company promised to grant the user that found and informed them about the critical bug.