Clever manipulation of Balancer’s deflationary coins pool allowed hackers to steal half a million dollars worth of tokens
Balancer, the latest DeFi token phenomenon, suffered a serious attack, the project announced on its blog yesterday. The attack saw almost half a million dollars stolen in a number of different currencies through a clever manipulation of its reserve pools.
The two pools that were targeted contained STA and STONK tokens because of their inherent transfer fees. To begin with, the attacker obtained a flash loan from dYdX of 104,000 ETH, after converting it into WETH he began to trade repeatedly in these pools.
Due to the transfer fees, the attacker was able to drain the pools of STA. When there was very little STA left in the pools’ available balance, the hackers initiated a ‘gulp call’ which syncs the accounting balance and the actual balance of STA.
Upon realising it had very little STA, the pool increased the value of STA massively to account for such a change. The hacker was then able to sell the large amounts of STA tokens at a hugely inflated value. Ths same technique was also used for the other remaining tokens in the pool such as ETH, WBTC, LINK and SNX. After returning the flash loan of 104,000 ETH, the attacker was then able to withdraw the funds to separate addresses.
Balancer had been warned of the bug
Many are angry with Balancer for ignoring a bug report that outlined exactly how this type of attack could be carried out.
3/ I submitted this exact attack vector to Balancer Labs’ Bug Bounty program 53 days earlier on May 6. At the time, only $250 of user funds were at risk. My medium post includes my full, unedited bug bounty submission.
— Hex Capital (@Hex_Capital) June 29, 2020
Not only was this bug submitted to Balancer, but it was submitted on May 6th, some 53 days before the attack.
Hex Capital, the bug reporter, states in their Twitter thread that they are a DeFi enthusiast and they are keen to see the sector succeed. However, in their view, security needs to be improved to maintain people’s trust and also to keep DeFi on its impressive growth path.
To Balancer’s credit, they are reimbursing anyone who lost money and they are doing the right thing by paying Hex Capital — the highest bug bounty available.