DeFi Balancer Was Hacked Twice Within 24 Hours

2020-07-02 09:30:00 · 79 views · 5 min read


It seems that every time when DeFi is booming, the hackers will come. The last time is Lendf.Me which lost $24.95 million Lendf.Me Hacked & Refunded, this time is Balancer which was hacked twice within 24 hours and lost around $502,300.



We always say security is the most critical element for DeFi. But chasing for higher yield seems to be the nature of humanity. 



Data always tell you something. We can see that Balancer user data, transaction data, and volume data experienced a sharp decline, along with its token $BAL



How Did The 2 Hacks Work?


On 29th Jun, the hacker conducted the attack in two separate transactions. Only pools with STA and STONK, deflationary tokens with transfer fees, were affected by this exploit.



The attacker got a $23 million flash loan of ETH from dYdX. dYdX volume peaked on 29th Jun.



The hacker then converted the ETH to WETH, and started swapping WETH to STA back and forth 24 times. At each swap, the STA balance available to the contract will diminish by 1%. However, the smart contract did not account for this, which make the price of STA remained stable despite the supply of STA in the pool is almost 0.



According to Balancer’s disclosure, the attacker then called a function that updated the price based on the effective pool balance. Since the STA side was empty, it was suddenly priced at a huge premium. 



Then the hacker started to swap for other assets in the platform including ETH, BTC, etc. 



Less than 24 hours later, the second attack happened claimed about $2,300 worth of Compound tokens (COMP). 



The second attack is pretty similar with the first attack actually, just the amount is much smaller. Again, the attack starts with a flash loan from both dYdX and Uniswap. The hacker then swapped the loan into cTokens and transferred it to Balancer. This triggered Compound into distributing the COMP accrued by the pool during its normal operation. The hacker then forced Balancer to update the pool’s balance to include all of the flash loaned money. The system thus believed that the hacker was entitled to a significant share of the pool’s COMP, despite not having held any money previously. Then the hacker withdrew COMP from Balancer afterward. 



Balancer has admitted the bug and said it will refund the whole lost funds and compensate the users. The details of its reimbursement process are expected to announce by the end of the week.



Security is always the key.



You may also like



Make sure you bookmark and subscribe to our newsletter below to get updates direct to your inbox.



Comments Write Comment
Currently there are no comments for this article. Would you like to be the first to write one?
Log In