New hack attack against a DeFi protocol. It was Balancer, which immediately informed users of the ongoing attack.
On the incident with non-standard ERC20 deflationary tokens today.https://t.co/xgYxBTDVvK
— Balancer Labs (@BalancerLabs) June 29, 2020
For those who aren’t familiar with this project, this is a protocol for managing funds in a non-custodial way, a liquidity provider and price sensor, and its strong point is the Balancer Pool which is an AMM (Automated Market Maker) that allows managing the portfolio, the pool, and the price of the token.
Balancer Pool allows receiving fees from those who are part of the same pool taking advantage of arbitrage opportunities. The protocol was launched on the mainnet only last week.
These pools have been drained: we’re talking about over half a million dollars.
The hack was performed using an interesting technique and, before executing the attack, they used Tornado Cash so that it was impossible to trace where the funds came from.
Here’s the history of the hack:
- Flash lend ETH from dYdX and convert to WETH.
- Continuously trade WETH & STA in increasing quantities
- On each trade, STA has a transfer fee and the pool expects it to receive a balance without the fee.
- After enough calls, the attacker calls gulp() which syncs the internal pool accounting of a token balance to the actual balance as stored in the token tracker contract
- Because the balance of STA is close to zero, its price relative to the other tokens is extremely high and the attacker can now use STA to swap for other assets in the pool extremely cheaply
Balancer stated that, although this was obviously not expected, the team had considered that these types of tokens would create problems and in fact, they were not included in the recent BAL mining pool.
Balancer will now add the addresses involved in the hack to a blacklist and provide users with more documentation about the possible risks these tokens might involve. As a matter of fact, it’s not so much the protocol that’s not safe but how these tokens were designed. Furthermore, the team will schedule a third protocol audit.
Hack against Balancer’s DeFi protocol. Whose fault was it?
According to several users who commented on the news, Balancer should be blamed because the bug was not only ignored, but nobody was even compensated for the bounty program to discover possible errors.
This claim was confirmed by Balancer’s co-founder and CTO, Mike McDonald, who justified himself by saying that the flash loans were not yet available.
As innovative as it may be, decentralized finance (DeFi) has once again suffered an attack that has resulted in a huge loss of funds.
The tokens involved have suffered a price reduction of 75% for STA and 98% for STONK.