DeFi risks; Hackers drain $500k in LINK, wrapped ETH, and other alts from Balancer pools

Hackers made away with $500k worth of Wrapped Ether, Chainlink, and Synthetix from Balancer pools early on Monday, after a deflationary token model was taken advantage of.

Balancer addressed the issue soon after, confirming the hack and stating the protocol was not compromised. All other tokens remain unaffected, and the exchange continues to function.

On the incident with non-standard ERC20 deflationary tokens today.https://t.co/xgYxBTDVvK

— Balancer Labs (@BalancerLabs) June 29, 2020

$500k stolen

Two balancer pools were affected on Monday morning after hackers used a vulnerability in the contract models of a token, Statera (STA), which runs on a “deflationary” model.

Balancer pools are a type of automated market makers (AMM), providing on-chain liquidity for multiple assets and keeping them balanced in certain proportions.

For the incident, hackers sent a complex transaction to Ethereum Mainnet which caused an attack on one of the Balancer Pools, as per a report by 1inch exchange, a DEX aggregator. Soon after, another transaction led to the draining of funds from another Balancer Pool.

Our investigation of $500k hack from @BalancerLabs multi-token pools with deflationary tokens ?️‍♂️ https://t.co/yCuYWpBAzM #DeFi

— 1inch.exchange (@1inchExchange) June 29, 2020

Using a sophisticated approach, the attacker used an automated smart contract to run multiple actions in a single transaction. The first step involved taking out a “FlashLoan” of 104k WETH from dYdX (another DEX). 

The funds were used to swap WETH to STA token over 24 times, causing STA balances to be drained until it became 1 weiSTA (0.000000000000000001 STA).

The above was possible as the STA token ran on a deflationary model with transfer fee of 1 percent charged from a recipient. This meant every time the attacker swapped WETH to STA, the Balancer pool received 1 percent less STA than was expected, 1inch noted, adding:

“As the next step, the attacker swapped 1 weiSTA to WETH multiple times. Due to STA token transfer fee implementation, the pool never received STA but released WETH regardless.”

Full circle and DeFi risks

Similar steps were used to drain WBTC, SNX, and LINK token balances from the pool. The hacker reached full circle by repaying the WETH FlashLoan dYdX. All the stolen funds can be tracked and viewable on this address. 

STA was advised of its deflationary model being broken before listing on Balancer, as some on Twitter observed:

Well, $STA team was only told over & over & over that they weren't going to get $BAL incentives due to the deflationary nature of their token and that, in fact, something bad might happen with the @BalancerLabs smart contracts, which were not designed for deflationary tokens.

— Nicholas K??????apels (Pᚱof K) (@shanghaipreneur) June 28, 2020

At press time, STA is down over 80 percent. Relevant tweets on the subject show the community is not pleased, and some are threatening legal action against Balancer.

Meanwhile, “Hex Capital” claimed to have appraised the issue to Balancer Labs at an earlier time, but receiving no response on the subject:

@StateraProject pool was drained because Balancer Labs refused to acknowledge this critical vulnerability I alerted them about in MAY. This is a major issue in crypto today – creating bug bounty programs and then ignoring the results + refusing to pay out. We need to do better

— Hex Capital (@Hex_Capital) June 29, 2020

Mentioned in this article

Balancer Ethereum Chainlink

Ad

How BlastUP is changing the game for blockchain startups

Ad

CryptoSlate on Substack cryptoslate.substack.com

Essential crypto updates and analyses. Straight to your inbox, every day.

Join 75k subscribers

Ad

Latest Ethereum Stories

Global ETP investors shift $126 million away from major cryptocurrencies, favor altcoins like Polkadot

Investments 15 hours ago

Bitcoin was responsible for 87% of the total digital asset investment outflows last week.

Vitalik Buterin’s RailGun advocacy triggers sharp rise in privacy tokens

Crypto 17 hours ago

Privacy coins have come under increased scrutiny from regulators globally.

Hong Kong approves Bitcoin and Ethereum ETFs as US lingers on ETH approval

Crypto 24 hours ago

The reported ETF approvals further propel Hong Kong into crypto leadership in Asia.

Bitcoin’s crash to $64k causes meltdown for alts

Crypto 4 days ago

The decline mirrored a broader selloff across asset classes amid heightened global economic uncertainties and geopolitical risks.

You might also enjoy...

Big Short 2.0: Yield farming on DeFi apps? Here’s the risk no one talks about

DeFi 4 years ago

Ethereum co-founder rings caution bell on DeFi surge; critics reminded of ICO boom

DeFi 4 years ago

Latest Alpha Market Report

Available exclusively via

Dial H for Halving: Unpacking the technicalities of Bitcoin’s halving

Andjela Radmilac · 21 hours ago

CryptoSlate's latest market report dives deep into the Bitcoin halvings, exploring its technical underpinnings, the historical context of previous halvings, and their long-term impacts on the network.

Latest Press Releases

View All

stc Bahrain and Aleph Zero Partner to Advance Blockchain DePIN Across the Gulf Region

Chainwire 32 mins ago

Covalent (CQT) Announces Grants Program & API Credits for Cronos Ecosystem, Supercharging Future Web3 Innovation

News Desk 14 hours ago

STEPN partners with adidas on exclusive NFT sneakers

Chainwire 21 hours ago