- Two multi-token Balancer pools have been drained up to $500k after a hacker manipulated the deflationary nature of STA tokens that were part of the portfolio.
- As the DeFi market balloons to what some now compared to the 2017-2018 ICO boom, its vulnerabilities continue to be exposed, especially in light of arbitrage markets.
Balancer, which is the 4th largest DeFi as of press time, is a product of Balancer Labs and runs liquidity pools that enable users to execute token swaps automatically. This Ethereum based project has since come out to acknowledge the attack, noting that they had warned the crypto community about the unintended effects of deflationary tokens,
“Although we were not aware this specific type of attack was possible, we have consistently in our docs, discord, and other channels warned about the unintended effects ERC20s with transfer fees could have in the protocol.”
The Hack in Detail
According to a medium post by 1inch, an ETH built exchange; the hacker deployed a complex smart contract on Ethereum's mainnet hence taking advantage of the exposure in the ‘transfer fee' DeFi model. Notably, this hacker used the smart contract to automate multiple DeFi actions within one execution,
“At first step, the attacker got a FlashLoan of 104k WETH from dYdX. These funds were used to swap WETH to STA token back and forth 24 times which drained STA balance from the pool and it became 1 weiSTA (0.000000000000000001 STA). ” details the post.
This event was possible due to the manipulation of Balancer's Pool record keeping contract. It is designed to keep track of token balances as well as receive transfer fees like in the case of swapping STA tokens, a 1% fee is charged on the recipient. Given this underlying, the hacker went on to create misbehavior between the two exchanging parties, which resulted in Balancer Pools not receiving the expected STA transfer fees.
It did not end there; the hacker further swapped 1 weiSTA to WETH multiple times. In doing so, they were able to drain WETH from the pool and eventually repeated the process to drain LINK, SNX, and WBTC tokens as well. Finally, the initial flash loan was repaid, and the hacker acquired a bigger share within Balancer’s pool by depositing weiSTAs to initiate a token swap to WETH for liquidation,
“Then he swapped collected Balancer Pool token to 136k STA via Uniswap V2, and then he swapped 136k STA to 109 WETH again.”
Balancer Set to Take Action
Following the incident, Balancer has said that it will begin adding ‘transfer fee’ tokens to its UI blacklist; the list is set to be non-exhaustive with the possibility of new tokens being added at any time. In addition to this, the Ethereum-built protocol will increase available documentation on the risks involved in operating Balancer Pools. The protocol has since undergone two full audits with a third scheduled for today as part of ongoing review processes to boost its efficiency amidst the rise of crypto arbitrage in the DeFi markets.