DeFi risks; Hackers drain $500k in LINK, wrapped ETH, and other alts from Balancer pools
Hackers made away with $500k worth of Wrapped Ether, Chainlink, and Synthetix from Balancer pools early on Monday, after a deflationary token model was taken advantage of.
Balancer addressed the issue soon after, confirming the hack and stating the protocol was not compromised. All other tokens remain unaffected, and the exchange continues to function.
On the incident with non-standard ERC20 deflationary tokens today.https://t.co/xgYxBTDVvK
— Balancer Labs (@BalancerLabs) June 29, 2020
$500k stolen
Two balancer pools were affected on Monday morning after hackers used a vulnerability in the contract models of a token, Statera (STA), which runs on a “deflationary” model.
Balancer pools are a type of automated market makers (AMM), providing on-chain liquidity for multiple assets and keeping them balanced in certain proportions.
For the incident, hackers sent a complex transaction to Ethereum Mainnet which caused an attack on one of the Balancer Pools, as per a report by 1inch exchange, a DEX aggregator. Soon after, another transaction led to the draining of funds from another Balancer Pool.
Our investigation of $500k hack from @BalancerLabs multi-token pools with deflationary tokens ?️♂️ https://t.co/yCuYWpBAzM #DeFi
— 1inch.exchange (@1inchExchange) June 29, 2020
Using a sophisticated approach, the attacker used an automated smart contract to run multiple actions in a single transaction. The first step involved taking out a “FlashLoan” of 104k WETH from dYdX (another DEX).
The funds were used to swap WETH to STA token over 24 times, causing STA balances to be drained until it became 1 weiSTA (0.000000000000000001 STA).
The above was possible as the STA token ran on a deflationary model with transfer fee of 1 percent charged from a recipient. This meant every time the attacker swapped WETH to STA, the Balancer pool received 1 percent less STA than was expected, 1inch noted, adding:
“As the next step, the attacker swapped 1 weiSTA to WETH multiple times. Due to STA token transfer fee implementation, the pool never received STA but released WETH regardless.”
Full circle and DeFi risks
Similar steps were used to drain WBTC, SNX, and LINK token balances from the pool. The hacker reached full circle by repaying the WETH FlashLoan dYdX. All the stolen funds can be tracked and viewable on this address.
STA was advised of its deflationary model being broken before listing on Balancer, as some on Twitter observed:
Well, $STA team was only told over & over & over that they weren't going to get $BAL incentives due to the deflationary nature of their token and that, in fact, something bad might happen with the @BalancerLabs smart contracts, which were not designed for deflationary tokens.
— Nicholas K??????apels (Pᚱof K) (@shanghaipreneur) June 28, 2020
At press time, STA is down over 80 percent. Relevant tweets on the subject show the community is not pleased, and some are threatening legal action against Balancer.
Meanwhile, “Hex Capital” claimed to have appraised the issue to Balancer Labs at an earlier time, but receiving no response on the subject:
@StateraProject pool was drained because Balancer Labs refused to acknowledge this critical vulnerability I alerted them about in MAY. This is a major issue in crypto today – creating bug bounty programs and then ignoring the results + refusing to pay out. We need to do better
— Hex Capital (@Hex_Capital) June 29, 2020