- A hacker used a $23.four million flash mortgage to empty a Balancer pool of near $535,000.
- One token within the pool was deflationary and burnt 1% of the overall quantity in every transaction, however Balancer did not account for these burns, giving the hacker a vector to take advantage of.
- Balancer is taking mandatory steps to mitigate future incidents, akin to a 3rd audit and blacklisting deflationary tokens.
The DeFi information class was dropped at you by Ampleforth, our most popular DeFi accomplice
Share this text
A hacker discovered a loophole in a Balancer pool through a deflationary token, ensuing within the pool being drained of $535,000. Balancer’s co-founder took duty for ignoring a earlier bug report relating to this similar assault vector.
Breaking Down the Balancer Exploit
At roughly 6:00 PM UTC, a meta-transaction to empty a Balancer pool of liquidity was executed on the Ethereum blockchain. The transaction was extremely complicated, recording a $54 charge and 315 token transfers inside it.
The Balancer pool that succumbed to this exploit had an equal weight pool between SNX, LINK, WBTC, WETH, and STA.
For the uninitiated, STA, or Statera, is a deflationary token designed to “attract liquidity.” Every time STA is transferred, 1% of the overall transaction quantity is destroyed.
The hacker started by borrowing 104,331 WETH ($23.three million) utilizing a dYdX flash mortgage.
They then proceeded to trade WETH for STA and vice versa forwards and backwards 24 occasions. This exploiter understood that Balancer solely recorded the token switch – it didn’t account for the burnt STA.
As a end result, the STA facet of the pool grew smaller and smaller.
After sufficiently diminishing the quantity of STA within the pool, the hacker may throw your complete pool’s dynamics off steadiness. They proceeded to swap 0.000000000000000001 STA (18 digits after the decimal) for WETH numerous occasions to empty the WETH portion of the pool, mimicking this similar motion with WBTC, SNX, and LINK.
After they repaid the flash mortgage, the hacker wasn’t completed.
They held a major quantity of Balancer pool tokens, much like Uniswap and Curve LP shares. Using Uniswap, these pool tokens have been exchanged for extra STA and swapped for 109 WETH.
Implications and Hacker Tenacity
The hacker’s tackle, from which they executed the primary transaction, presently has $320,000 of SNX, LINK, and WBTC mixed.
DeFi hackers have gotten extra refined, utilizing the Tornado Cash mixer to fund the tackle.
In a ready assertion, Balancer claims they have been unaware this sort of assault was potential however have been warned of the implications non-standard ERC-20 tokens may have on the pool.
This runs opposite to the claims of Twitter person “Hex Capital” who claims to have submitted this precise state of affairs to Balancer’s bug bounty program in May 2020.
Mike McDonald, co-founder and CTO of Balancer, replied to the remark, saying, “the submitted report was about trading a pool and slowly decreasing the pools balance vs. internal balance which we were aware of and why warnings existed. Today worked because of flash lending. That is my fault, and I apologize for not taking more time to review other consequences of what could happen.”
The report mentions swapping to get an asset near 0. I didn’t keep in mind flash lending and figured a 1% switch charge can be not possible to get anyplace near that stage on regular swaps (that get costlier every commerce). Again I’ll take full duty right here
— Mike McDonald (@mikeraymcdonald) June 29, 2020
Balancer didn’t embody STA in it’s newest whitelist for tokens which can be eligible to liquidity mine BAL.
Further, Balancer will bar all deflationary tokens from its whitelist and add extra documentation relating to how liquidity swimming pools may be exploited.