DeFi risks; Hackers drain $500k in LINK, wrapped ETH, and other alts from Balancer pools

Hackers made away with $500k worth of Wrapped Ether, Chainlink, and Synthetix from Balancer pools early on Monday, after a deflationary token model was taken advantage of.

Balancer addressed the issue soon after, confirming the hack and stating the protocol was not compromised. All other tokens remain unaffected, and the exchange continues to function.

On the incident with non-standard ERC20 deflationary tokens today.https://t.co/xgYxBTDVvK

— Balancer Labs (@BalancerLabs) June 29, 2020

$500k stolen

Two balancer pools were affected on Monday morning after hackers used a vulnerability in the contract models of a token, Statera (STA), which runs on a “deflationary” model.

Balancer pools are a type of automated market makers (AMM), providing on-chain liquidity for multiple assets and keeping them balanced in certain proportions.

For the incident, hackers sent a complex transaction to Ethereum Mainnet which caused an attack on one of the Balancer Pools, as per a report by 1inch exchange, a DEX aggregator. Soon after, another transaction led to the draining of funds from another Balancer Pool.

Our investigation of $500k hack from @BalancerLabs multi-token pools with deflationary tokens ?️‍♂️ https://t.co/yCuYWpBAzM #DeFi

— 1inch.exchange (@1inchExchange) June 29, 2020

Using a sophisticated approach, the attacker used an automated smart contract to run multiple actions in a single transaction. The first step involved taking out a “FlashLoan” of 104k WETH from dYdX (another DEX). 

The funds were used to swap WETH to STA token over 24 times, causing STA balances to be drained until it became 1 weiSTA (0.000000000000000001 STA).

The above was possible as the STA token ran on a deflationary model with transfer fee of 1 percent charged from a recipient. This meant every time the attacker swapped WETH to STA, the Balancer pool received 1 percent less STA than was expected, 1inch noted, adding:

“As the next step, the attacker swapped 1 weiSTA to WETH multiple times. Due to STA token transfer fee implementation, the pool never received STA but released WETH regardless.”

Full circle and DeFi risks

Similar steps were used to drain WBTC, SNX, and LINK token balances from the pool. The hacker reached full circle by repaying the WETH FlashLoan dYdX. All the stolen funds can be tracked and viewable on this address. 

STA was advised of its deflationary model being broken before listing on Balancer, as some on Twitter observed:

Well, $STA team was only told over & over & over that they weren't going to get $BAL incentives due to the deflationary nature of their token and that, in fact, something bad might happen with the @BalancerLabs smart contracts, which were not designed for deflationary tokens.

— Nicholas K??????apels (Pᚱof K) (@shanghaipreneur) June 28, 2020

At press time, STA is down over 80 percent. Relevant tweets on the subject show the community is not pleased, and some are threatening legal action against Balancer.

Meanwhile, “Hex Capital” claimed to have appraised the issue to Balancer Labs at an earlier time, but receiving no response on the subject:

@StateraProject pool was drained because Balancer Labs refused to acknowledge this critical vulnerability I alerted them about in MAY. This is a major issue in crypto today – creating bug bounty programs and then ignoring the results + refusing to pay out. We need to do better

— Hex Capital (@Hex_Capital) June 29, 2020

Mentioned in this article

Balancer Ethereum Chainlink

Ad

Nansen Collaborates with TRON DAO to Empower Developers and Users with Advanced Blockchain Insights

Ad

CryptoSlate on X x.com/cryptoslate

Follow us on X for instant crypto news and insights updates.

Follow @cryptoslate

Ad

Latest Ethereum Stories

SEC Chair Gary Gensler to step down on Jan. 20

Regulation 3 hours ago

After nearly four years as SEC Chair Gary Gensler will step down from his role the same day President Donald Trump takes office.

South Korea links major crypto heist to North Korea, recovers Bitcoin

Crime 9 hours ago

South Korea's success in reclaiming stolen crypto marks a breakthrough in combatting North Korean cybercrime.

SEC delays decision on Franklin Templeton’s crypto Index ETF to 2025

ETF 24 hours ago

Franklin Templeton's crypto ETF decision pushed back as SEC exercises extended review period.

Bitfinity bridges Bitcoin and Ethereum with new Layer-2 mainnet, raises $12 million

Layer2 2 days ago

New Bitgems feature on Bitfinity's Layer-2 mainnet rewards user engagement and fosters community growth.

Latest Press Releases

View All

Ike Goes Live on Mainnet: Unlocking Liquid Staking on Aleph Zero

Chainwire 5 hours ago

Coinshift Launches csUSDL, Announces Strategic Partnerships

Chainwire 5 hours ago

Rise Secures $6.3M in Series A Funding for Hybrid Payroll Infrastructure

Chainwire 5 hours ago