DeFi just lost half a million dollars on June 29, after an attacker was successful in exploiting a loophole on two of Balancer’s multi-token pool. The attacker specifically targeted the pools with deflationary tokens with transfer fees.
The team noted that they weren’t aware that something like this could be pulled off. The hacker even managed to hide his digital tracks by mixing the eth used to deploy the smart contracts through Tornado cash.
In total, the attacker got away with 601.3 ETH (~$134.8k), 11.36 WBTC (~$103.5k), 22,593 LINK (~$102.8k), and 60,915 SNX (~$110.9k). The total losses were estimated to be around $452,000.
Making things right
However, those affected by the hack have nothing to worry about as Balancer has vowed to compensate every user who lost their tokens in the attack.
Furthermore, the pool operator will also be rewarding Ankur Agrawal from Hex capital “the maximum amount” available in its current bug bounty program, as he had flagged the bug on May 6 that resulted in this exploit.
“The bug bounty report by [Agrawal] describes in detail the attack that happened. Our team however did not think it would be a practical attack because of the enormous amounts of funds and also gas we thought would be required for bringing the balance of the deflationary token to near 0 in a single atomic transaction,” Balancer noted.
Balancer had previously denied the bounty to Agrawal because “they determined that it was not a critical bug.”
That attack was based on the property of deflationary tokens STONK and STA charging transfer fees while they are trading. However, the pools associated with these tokens do not immediately account for the fees. As a result, the pool balances show more STONK or STA than the actual number.
This gives the attacker the opportunity to trade STA and STONK while incurring transfer fees and draining the two tokens.
Once the pool has a few tokens left, the attackers called a function that’d sync the displayed balance of the pools with the actual balance, resulting in a sharp drop in STONK and STA supplies and pushing up their prices against other assets they are paired with.
Attackers can then swap these other tokens with small amounts of STONK and STA to cash out.
As of now, Balancer has noted that details about the reimbursement process would be announced by the end of the week.
As previously reported by The Daily Chian, the pool operator has also vouched to add deflationary tokens to the UI blacklist similarly to what they have done for no bool transfer tokens. The protocol operator said that it has already undergone two full audits and has had a third one planned.