Yet Another Balancer Attack for ‘Unclaimed’ COMP; DeFi Liquidity Provider to Reimburse Hack Victims

Yet Another Balancer Attack for ‘Unclaimed’ COMP; DeFi Liquidity Provider to Reimburse Hack Victims

It hasn’t been 24 hours for the reason that information a couple of $500,000 hack on Balancer got here {that a} new assault has claimed $2,300 value of the recent Compound tokens (COMP).

Hao, a hacker and engineer at DeBank, a DeFi pockets took to Twitter to share how this time as properly, somebody used Andreessen-funded dYdX to flash mortgage and drained, sure once more, unclaimed COMP saved in a number of swimming pools of Balancer, an automated market maker.

The hacker defined that the contract flash loaned some tokens from dYdX to mint cToken from these funds. Then they Uniswap v2 to flash loaned some COMP.

The contract joined COMP/cBAT/cUSDT pool to set off Compound to ship unclaimed COMP to this balancer pool. After syncing COMP stability, the contract withdrew from the balancer better off and continued to do the identical for different swimming pools.

After getting all the additional COMP, it repaid Uniswap and dydx and made an exit and swapped COMP for ETH in a traditional Uniswap V2 commerce.

However, @Comply withTheChain stated the “unclaimed COMP” is only a tiny fraction of COMP that has collected for the reason that final motion of every cToken that occurred a couple of minutes earlier than.

According to Balancer Labs, this assault wasn’t just like the one from yesterday both.

Amidst this got here the excellent news, that Balancer Labs will likely be reimbursing all of the liquidity suppliers who misplaced funds in yesterday’s assault.

It may even pay out the “highest bug bounty available” to Hex capital, who alerted about this vulnerability to balancer Labs in May.

“This is a major issue in crypto today – creating bug bounty programs and then ignoring the results + refusing to pay out. We need to do better,” said Hex Capital.

Market Unaffected

Yesterday’s assault concerned two swimming pools of the Balancer that contained deflationary tokens STA and STONK, tokens with switch charges, value greater than $500,000 getting drained by a hacker.

The assault occurred in two separate transactions which have been 30 minutes aside. And solely the swimming pools with a token with switch charges have been affected by the exploit.

DeFi aggregator 1inch in its official report stated the attacker was a “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.”

Not solely was he organized and ready upfront but in addition used Tornado Cash, a privacy-focused Ethereum mixer, to get preliminary funds that hid his supply of Ether.

It reported that the assault on one of many Balancer Pools was brought on by a fancy transaction that the hacker despatched to the Ethereum mainnet. Then, with one other transaction, the hacker drained one other Balancer Pool.

The handle with the stolen funds at present has about 601 ETH value about $133,823.

In its official report on the incident, Balancer Labs reported that it wasn’t conscious that “his specific type of attack was possible” which now got here to be unfaithful.

However, they’ve been warning concerning the unintended results of ERC20s with switch charges within the protocol. As such, STA wasn’t included within the just lately put collectively mining whitelist of BAL.

Now, switch price tokens will likely be added to the blacklist and can proceed to audit, the third deliberate audit is beginning quickly, and evaluation the protocol.

However, the market appears unaffected for now, as the full worth locked in Balancer is $115 million, down from the all-time excessive of $117 million only a day earlier than, as per DeFi Pulse.

Be the first to comment

Leave a Reply

Your email address will not be published.