The Decentralized Finance (DeFi) ecosystem has once again come under attack as a decentralized automated market maker exchange suffered losses close to half a million dollars yesterday.
DeFi project Balancer has lost about $500,000 worth of multiple tokens to a hacker due to a vulnerability in two of Balancer’s pools. News about the hack emerged on social media on Sunday evening, but Balancer did not issue an official report until this morning.
According to the report, the attacker only stole funds from two pools containing STA and STONK, known as “deflationary tokens” or “transfer fees.” Balancer claims the vulnerability only affects pools “where a token has these transfer fees.”
The perpetrator adopted a similar exploitation method used on other DeFi protocols in the past. He used Tornado Cash to obtain the initial funds which he used to deploy smart contracts and conduct the attack. This way, he was able to hide the source of his ETH, DEX Aggregator 1inch explained.
Using the smart contracts, he obtained a flash loan of 104K ETH (appr $23.2 million) from decentralized lending protocol dYdX and converted it to WETH, an Ether-pegged stablecoin. After that, he started trading WETH and STA continuously in increasing quantities.
As reported, STA has a transfer fee on each trade, and the pool expects it to receive a balance without the fee. Balancer further explained that “after enough calls, the attacker calls gulp() which syncs the internal pool accounting of a token balance to the actual balance is stored in the token tracker contract.”
Since STA’s balance is almost nothing, its value relative to other tokens is extremely high. This allowed the hacker to drain funds by swapping STA for other cryptocurrencies in the pool, including ETH, WBTC, LINK, and SNX.
After completing his mission, the attacker quickly repaid the $104K flash loan to dYdX, and the stolen funds were transferred to unknown addresses.
In its update, Balancer claimed it is not aware that this type of attack was possible. However, a Twitter user argued that the hacker was able to exploit the vulnerability because Balancer Labs refused to acknowledge the detailed attack vector report, which he submitted to the project during its bug bounty program in May.
Responding to the tweet, Mike McDonald, the co-founder and CTO of Balancer, said the submitted bug report covered issues they were already aware of, so they warned about the unintended effects of ERC20 tokens with transfer fees could have on the network.
Despite the attack, Balancer is now the fourth largest DeFi project on Ethereum with over $116 million worth of ETH locked in the protocol, which is almost a 100% increase in one week.
Balancer launched its governance token BAL on June 23. Following the launch, BAL’s price recorded more than 200% growth, moving from $6.65 to $22.28 in one day.
Update:
The team behind Balancer has decided to reimburse the liquidity providers who lost funds.