New hack attack against DeFi
New hack attack against DeFi

New hack attack against DeFi

By Alfredo de Candia - 29 Jun 2020

Chevron down

New hack attack against a DeFi protocol. It was Balancer, which immediately informed users of the ongoing attack. 

For those who aren’t familiar with this project, this is a protocol for managing funds in a non-custodial way, a liquidity provider and price sensor, and its strong point is the Balancer Pool which is an AMM (Automated Market Maker) that allows managing the portfolio, the pool, and the price of the token.

Balancer Pool allows receiving fees from those who are part of the same pool taking advantage of arbitrage opportunities. The protocol was launched on the mainnet only last week. 

From what can be learned from Balancer’s official statement, the attack took place against 2 pools that contained 2 different tokens, Statera (STA) and Stonk

These pools have been drained: we’re talking about over half a million dollars.

The hack was performed using an interesting technique and, before executing the attack, they used Tornado Cash so that it was impossible to trace where the funds came from.

Here’s the history of the hack:

  • Flash lend ETH from dYdX and convert to WETH.
  • Continuously trade WETH & STA in increasing quantities
  • On each trade, STA has a transfer fee and the pool expects it to receive a balance without the fee.
  • After enough calls, the attacker calls gulp() which syncs the internal pool accounting of a token balance to the actual balance as stored in the token tracker contract
  • Because the balance of STA is close to zero, its price relative to the other tokens is extremely high and the attacker can now use STA to swap for other assets in the pool extremely cheaply

Balancer stated that, although this was obviously not expected, the team had considered that these types of tokens would create problems and in fact, they were not included in the recent BAL mining pool. 

Balancer will now add the addresses involved in the hack to a blacklist and provide users with more documentation about the possible risks these tokens might involve. As a matter of fact, it’s not so much the protocol that’s not safe but how these tokens were designed. Furthermore, the team will schedule a third protocol audit. 

Hack against Balancer’s DeFi protocol. Whose fault was it? 

According to several users who commented on the news, Balancer should be blamed because the bug was not only ignored, but nobody was even compensated for the bounty program to discover possible errors.

This claim was confirmed by Balancer’s co-founder and CTO, Mike McDonald, who justified himself by saying that the flash loans were not yet available.

 As innovative as it may be, decentralized finance (DeFi) has once again suffered an attack that has resulted in a huge loss of funds.

The tokens involved have suffered a price reduction of 75% for STA and 98% for STONK.


Alfredo de Candia

Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.

We use cookies to make sure you can have the best experience on our site. If you continue to use this site we will assume that you are happy with it.