A hacker realized a loophole in a Balancer pool by a deflationary token, resulting in the pool being drained of $535,000. Balancer’s co-founder took responsibility for ignoring a earlier worm document concerning this same assault vector.
Breaking Down the Balancer Exploit
At roughly 6: 00 PM UTC, a meta-transaction to empty a Balancer pool of liquidity change into once executed on the Ethereum blockchain. The transaction change into once extremely complex, recording a $54 price and 315 token transfers internal it.
The Balancer pool that succumbed to this exploit had an equal weight pool between SNX, LINK, WBTC, WETH, and STA.
For the uninitiated, STA, or Statera, is a deflationary token designed to “attract liquidity.” At any time when STA is transferred, 1% of the total transaction amount is destroyed.
The hacker started by borrowing 104,331 WETH ($23.3 million) the usage of a dYdX flash mortgage.
They then proceeded to exchange WETH for STA and vice versa reduction and forth 24 events. This exploiter understood that Balancer solely recorded the token switch – it didn’t memoir for the burnt STA.
Consequently, the STA aspect of the pool grew smaller and smaller.
After sufficiently diminishing the amount of STA in the pool, the hacker could well throw your total pool’s dynamics off steadiness. They proceeded to swap 0.000000000000000001 STA (18 digits after the decimal) for WETH endless events to empty the WETH allotment of the pool, mimicking this same circulate with WBTC, SNX, and LINK.
After they repaid the flash mortgage, the hacker wasn’t performed.
They held a principal amount of Balancer pool tokens, the same to Uniswap and Curve LP shares. Using Uniswap, these pool tokens had been exchanged for more STA and swapped for 109 WETH.
Implications and Hacker Tenacity
The hacker’s contend with, from which they executed the most well-known transaction, on the 2nd has $320,000 of SNX, LINK, and WBTC blended.
DeFi hackers are turning into more subtle, the usage of the Twister Cash mixer to fund the contend with.
In a ready observation, Balancer claims they had been unaware this more or less assault change into once doable nonetheless had been warned of the penalties non-customary ERC-20 tokens could well contain on the pool.
This runs contrary to the claims of Twitter person “Hex Capital” who claims to contain submitted this precise danger to Balancer’s worm bounty program in Might well even 2020.
Mike McDonald, co-founder and CTO of Balancer, spoke back to the comment, asserting, “the submitted document change into once about trading a pool and slowly decreasing the pools steadiness vs. internal steadiness which we had been responsive to and why warnings existed. As of late labored on memoir of of flash lending. That is my fault, and I apologize for no longer taking more time to overview a form of penalties of what could well happen.”
The document mentions swapping to bring collectively an asset terminate to 0. I didn’t opt in ideas flash lending and figured a 1% switch price could well be most unlikely to bring collectively anyplace terminate to that level on popular swaps (that bring collectively more costly every exchange). Yet again I’ll consume stout responsibility here
— Mike McDonald (@mikeraymcdonald) June 29, 2020
Balancer didn’t encompass STA in it’s latest whitelist for tokens that are eligible to liquidity mine BAL.
Extra, Balancer will bar all deflationary tokens from its whitelist and add more documentation concerning how liquidity pools could well additionally just additionally be exploited.