Decentralized finance (Defi) protocol Balancer was on Sunday hacked for more than $450,000 worth of cryptocurrency.
In two separate transactions, an attacker targeted two pools containing Ethereum-based tokens with transfer fees – or so-called deflationary tokens.
Pools with Sta and Stonk tokens were affected by this exploit, Balancer, an automated market marker protocol, said on June 29.
The hacker made off with around 601 ether, 11 wrapped bitcoin (WBTC), 22,600 chainlink (LINK), and 61,000 synthetix (SNX) – altogether totaling more than $451,000.
According to an analysis by Dex aggregator 1inch.exchange, the attacker used a smart contract to automate multiple actions in a single transaction. First, the hacker obtained a flash loan of $23 million worth of ethereum from the crypto-lending platform Dydx.
The money was used to swap Weth to Statera (Sta), a so-called deflationary token, back and forth 24 times until the Sta balance was totally drained. With Sta, at least one percent of the token is programmed to burn with every transaction.
However, the Balancer pool apparently failed to account for this mechanism. So, the Sta balance declined by one percent every time the attacker made their 24 swaps. After this, the hacker exchanged 1 weiSta, or the equivalent of a billionth of a token, to Weth several times.
Due to Sta token transfer fee implementation, the pool never received statera, but still proceeded to release the wrapped ether regardless, said 1inch. The same step was repeated to drain WBTC, SNX, and link token balances from the pool, it added.
Finally, the attacker repaid the $23 million Dydx loan. Later, they converted the Sta tokens to Balancer pool tokens and eventually into ethereum via Uniswap, which was then cashed out.
1inch noted that the attack was carried out by a “sophisticated smart contract engineer” who is deeply knowledgeable about decentralized finance and its protocols.
Balancer claimed that “we were not aware this specific type of attack was possible, [but] we have consistently…warned about the unintended effects ERC20s with transfer fees could have in the protocol.”
To prevent future attacks, the platform said that it will start to add ‘transfer fee tokens to the UI blacklist similarly to what we have done for no bool transfer tokens.”
“We will be adding more documentation around the risks of how these pools work and how broken or maliciously designed tokens can potentially drain assets from a pool,” it added.
A number of Defi platforms have been hacked this year. In February, Bzx protocol was attacked twice while Maker lost around $8.3 million in March. Uniswap and Dforce were drained of $300,000 and $25 million, respectively, although this later amount was returned by the hacker in April.
What do you think about the Balancer pool hack? Let us know in the comments section below.
Image Credits: Shutterstock, Pixabay, Wiki Commons
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.