DeFi Protocol Balancer Hacked Through Exploit It Seemingly Knew About
As analyzed by the 1inch.exchange team a few hours after the incident, a carefully crafted transaction taking more than 8 million gas, or about two thirds of an Ethereum block, stole over $500,000 in Ether, Wrapped Bitcoin (WBTC), Chainlink (LINK) and Synthetix (SNX) tokens.
Taking advantage of programmed burn
Timestamped at 6 PM UTC on Sunday, the transaction begins with a flash loan from dYdX for 104,000 ETH, or about $23 million.
The exploit relied on Statera (STA), a deflationary token where 1% of every transaction is automatically burned. Balancer’s smart contracts seem to have failed to account for this, thus expecting that each transaction would be for the full amount.
The hacker exploited this by exchanging back and forth between Statera and Ether 24 times. At each step, the STA balance available to the contract diminished by 1%, but the smart contract did not account for this. Thus, the price of STA remained stable despite the dwindling supply.
As noted by Balancer’s disclosure, at the end of this procedure the attacker called a function that updated the price based on the effective pool balance. Since the STA side was empty, it was suddenly priced at a huge premium.
The hacker used a “weiSTA,” or one billionth of a token, to swap for other assets on the platform, including ETH, BTC, LINK and SNX. Due to the burn mechanism, the weiSTA was never actually exchanged, which allowed the hacker to perform the transfer multiple times until all STA pools were dried.
They then exchanged the remainder of the STA to Balancer Pool tokens and cashed them out to Ether with Uniswap.
Security practices called into question
The Balancer team is being accused by a security researcher and the STA team for ignoring a bug report submitted almost two months before. Balancer’s CTO, Mike McDonald, confirmed the existence of the report, claiming that the issue outlined in it was essentially unexploitable and blaming flash loans for the incident. It is worth noting that any exploit made possible by a flash loan is also vulnerable to hackers with significant funds.
In a subsequently deleted tweet, McDonald appears to have taken responsibility for the bug.
Cointelegraph obtained screenshots from the STA team that further suggest that Balancer was keenly aware of the issue with transfer-fee tokens like Statera just days before the incident.
While Balancer took precautions with the STA pool by not including it in the liquidity mining program, it is unclear why the issue was not fixed at a smart contract level. At the same time, the protocol is permissionless and anyone can add new pools at their own risk. This would be similar to an incident that occurred on Uniswap during the dForce hack, where a pool created against the team’s advice was simultaneously hacked.
The Statera team nevertheless believes the risks were not adequately disclosed, with a representative saying:
“The only warning they have is on their website which suggests that the project is in beta and all funds are at risk.”
While Balancer documentation does mention risks for Statera-like tokens, they only involve “arbitrage opportunities.” The Statera representative said that “[we] wouldn’t have gone with Balancer if we knew we were at risk for such an attack.”
Cointelegraph reached out to Balancer to learn more, but did not immediately receive a response.
Cardano Blockchain “Shelley” hard fork due for release
The development of the Cardano (ADA) platform began in 2015. A token presale conducted in Asia raised US$62 million from September 2015 to January...
The Abra crypto investing app creates new interest-bearing account
Founded in 2014 by Bill Barhydt, the California-based Abra app allows users to trade and store over 100 different crypto assets. Abra has backing...
Polyient Games Launches Avalanche-Based DEX for Collectibles
Ava Labs, the development team behind the Avalanche blockchain has teamed up with non-fungible token (NFT)-focussed investment firm Polyient Games to...