Decentralized finance protocol Balancer has been exploited for over $50,000 worth of cryptocurrency after a hacker found a loophole in its system and took advantage of it using deflationary tokens.
Over two transactions spread 30 minutes apart, the hacker attacked Balance’r STA and STONK pools. Both of these are deflationary tokens, which means that every time they are transacted 1% of the amount moved is destroyed. Taking this into account, the hacker decided to attack.
The first step was to borrow 104,331 Wrapped Ether (WETH) – an ERC-20 version of ether - via a flash loan on dYdX. A flash loan is one that is both taken and repaid in one single transaction. Using the $23 million worth of WETH the hacker had, he started swapping WETH to STA back and forth.
After 24 transactions, the STA balance in the pool was drained down to 0.000000000000000001 STA because of the 1% burn per transaction. Given the small balance the hacker was then able to swap the deflationary token for other assets from Balancer’s pools very cheaply.
In total, the hacker took 601.3 ETH, worth around $134,000, 11.36 WBTC, worth over $100,000, 22,593 LINK, worth around $102,000, and 60,915 SNX, worth over $110,000. In total, the attack netted the hacker little over $450,000.
The hacker’s address now has $325,000 worth of ERC-20 tokens, and an additional $134,000 worth of ether. The transaction pulling off the attack was a rather complex one, leading decentralized exchange aggregator 1inch to believe the attacker was a “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.”
Balancer claimed it was not aware this type of attack was possible in a statement, although it has warned “about the unintended effects of ERC20s with transfer fees could have in the protocol.” On Twitter Hex Capital claimed, however, it submitted the attack vector to its bug bounty program last month, but was denied payment.
"Although we were not aware this specific type of attack was possible" - this is patently false @mikeraymcdonald @BalancerLabs. I submitted this exact attack vector to your bug bounty program on 5/6 and was denied payment. cc @defiprime @TheBlock__ @VitalikButerin @1inchExchange— Hex Capital (@Hex_Capital) June 29, 2020
Mike McDonald, Balancer’s co-founder and CTO, replied to Hex Capital claiming the report was “about a trading pool and slowly decreasing the pools balance vs internal balance which we were aware of and why warnings existed.” The recent attack, he said, “worked because of flaslending.”
This is notably the fifth attack on decentralized finance protocols. The first two saw hackers drained the lending protocol bZx of over $1 million worth of cryptocurrency, while in April dForce was hacked for $25 million. The latter saw the hacker return the funds, for unknown reasons.
The ether used to deploy the smart contracts on the Balancer exploit was mixed through Tornado Cash to hide the funds’ origins.
Featured image via Pixabay.