In a black day for Decentralized Finance (DeFi), two Balancer pools got drained off at least $500,000 through an exploit taking advantage of deflationary properties of Statera (STA) token on June 28, 1inch.exchange team investigation report concluded. The Balancer Labs announced that it will completely reimburse all the losses to the users, as well as give bounty to the white hat hacker, who pointed this attack vector to the Balancer Bug Bounty on May 06 to @Hex_Capital.
After thorough discussions with the community, the Balancer Labs team decided that it will fully reimburse all the liquidity providers who lost funds in the attack of yesterday. We will also pay out the highest bug bounty available for @Hex_Capital
More details on the…— Balancer Labs (@BalancerLabs) June 29, 2020
The hacker executed a complex transaction on the blockchain to attack balancer pools and got away with at least $425,000 worth of tokens. Among them, 455 WETH ($100k worth), 2.4M STA ($100K worth) later converted to 109 WETH ($25K worth), 11.36 WBTC ($100K worth), 60.9K SNX ($100K worth) and 22.6K LINK ($100K worth).
3/ I submitted this exact attack vector to Balancer Labs’ Bug Bounty program 53 days earlier on May 6. At the time, only $250 of user funds were at risk. My medium post includes my full, unedited bug bounty submission.— Hex Capital (@Hex_Capital) June 29, 2020
4/ Today, Balancer announced they would cover all user losses in this hack and would pay out the highest-level bug bounty for my submission. Kudos to the team for making the right decision here! 👏https://t.co/hhn0JuXDNi— Hex Capital (@Hex_Capital) June 29, 2020
Balancer Pools Attack Details
A total of 2 Balancer pools were attacked, using complex similar transactions. A smart contract was utilized to automate multiple actions in a single transactions. After taking a flash loan of 104K WETH from dYdX, the attacker swapped WETH to STA token back and forth 24 times to drain the pool balance and leave it at extremely small balance of 1 weiSTA. It was made possible by the fact that Balancer pool keeps track of the token balancers and deflationary characteristics of the STA token (deduction of transfer fee of 1% charged from the receiving address) resulting in transfer() and transferFrom() misbehavior.
Every time, the swap was executed, the balancer Pool received 1% less STA than it should have. Next, the attacker converted 1 weiSTA to WETH multiple times. Due to the STA token transfer fee implementation, the pool never received the STA but released WETH nonetheless.
The WBTC, SNX and LINK token balances were drained from the pool, in the same manner. The attacker then repaid the flash loan, rapidly increased his share in the Balancer Pool by depositing a few weiSTAs. The attacker lastly used Uniswap V2 to convert collected Balancer Pool tokens to 136K STA, before converting the STAs to 109 WETH again.
The stolen funds were transferred to 0xbf675c80540111a310b06e1482f9127ef4e7469a.
1inch.exchange Comments On the Hacker
The investigation report by the 1inch team concluded that “The person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.”
It was further stated that the attack was well organized and prepared for. Also, the hacker used funds gained from Ethereum transactions mixer Tornado Cash to hide the initial source of funds used to pay for the attack and clean any trace leading upto him.
Balancer Pool Rectification Measures To Prevent Such Attacks
The Balancer Labs team announced in the official post that since “Balancer is a permission-less protocol and broken or malicious tokens will always be able to be added at the contract level”, however they will begin adding transfer fee tokens to the UI blacklist, as well as adding more documentation to better inform users of the protocol risks. The Balancer protocol will also undergo a third audit to review security risks.
About Balancer Pools
Balancer is a non-custodial portfolio manager, automated liquidity provider and price sensor. The Balancer pools are programmable automated market makers (AMMs) with certain key properties that allows them to act as self-balancing weighted portfolios, similar to an index fund. However, instead of paying fees to portfolio managers to rebalance portfolios, the same role is undertaken by arbitrageurs, who then pay fees to user pools, while making arb profits.