Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » Analysis » Balancer Pool Exploited, Over $500,000 of Funds Lost

Balancer Pool Exploited, Over $500,000 of Funds Lost

by

$500,000 was stolen from Balancer by taking advantage of a vulnerability.

Smart contracts will govern car or truck ownership and help prevent counterfeit parts and stolen vehicles

Key Takeaways

  • A hacker used a $23.4 million flash loan to drain a Balancer pool of close to $535,000.
  • One token in the pool was deflationary and burnt 1% of the total amount in each transaction, but Balancer didn't account for these burns, giving the hacker a vector to exploit.
  • Balancer is taking necessary steps to mitigate future incidents, such as a third audit and blacklisting deflationary tokens.

Share this article

A hacker found a loophole in a Balancer pool via a deflationary token, resulting in the pool being drained of $535,000. Balancer’s co-founder took responsibility for ignoring a previous bug report regarding this same attack vector.

Breaking Down the Balancer Exploit

At roughly 6:00 PM UTC, a meta-transaction to drain a Balancer pool of liquidity was executed on the Ethereum blockchain. The transaction was incredibly complex, recording a $54 fee and 315 token transfers within it.

The current state of Balancer's drained liquidity pool
Balancer’s drained liquidity pool

The Balancer pool that succumbed to this exploit had an equal weight pool between SNX, LINK, WBTC, WETH, and STA.

For the uninitiated, STA, or Statera, is a deflationary token designed to “attract liquidity.” Every time STA is transferred, 1% of the total transaction amount is destroyed.

The hacker began by borrowing 104,331 WETH ($23.3 million) using a dYdX flash loan.

They then proceeded to exchange WETH for STA and vice versa back and forth 24 times. This exploiter understood that Balancer only recorded the token transfer – it didn’t account for the burnt STA.

As a result, the STA side of the pool grew smaller and smaller.

The price of STA after the hack
The price of STA is down 76% in the last 24 hours, via CoinGecko.

After sufficiently diminishing the amount of STA in the pool, the hacker could throw the entire pool’s dynamics off balance. They proceeded to swap 0.000000000000000001 STA (18 digits after the decimal) for WETH countless times to drain the WETH portion of the pool, mimicking this same action with WBTC, SNX, and LINK.

After they repaid the flash loan, the hacker wasn’t finished.

They held a significant amount of Balancer pool tokens, similar to Uniswap and Curve LP shares. Using Uniswap, these pool tokens were exchanged for more STA and swapped for 109 WETH.

Implications and Hacker Tenacity

The hacker’s address, from which they executed the main transaction, currently has $320,000 of SNX, LINK, and WBTC combined.

DeFi hackers are becoming more sophisticated, using the Tornado Cash mixer to fund the address.

In a prepared statement, Balancer claims they were unaware this kind of attack was possible but were warned of the consequences non-standard ERC-20 tokens could have on the pool.

This runs contrary to the claims of Twitter user “Hex Capital” who claims to have submitted this exact scenario to Balancer’s bug bounty program in May 2020.

Mike McDonald, co-founder and CTO of Balancer, replied to the comment, saying, “the submitted report was about trading a pool and slowly decreasing the pools balance vs. internal balance which we were aware of and why warnings existed. Today worked because of flash lending. That is my fault, and I apologize for not taking more time to review other consequences of what could happen.”

https://twitter.com/mikeraymcdonald/status/1277443568852967430?s=20

Balancer didn’t include STA in it’s latest whitelist for tokens that are eligible to liquidity mine BAL.

Further, Balancer will bar all deflationary tokens from its whitelist and add more documentation regarding how liquidity pools can be exploited.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.