- A hacker has stolen $500k worth of Ethereum and other coins from a Balancer Pool.
- The hacker took out a flash loan, which allows you to take out a lot of money for a specific purpose, and then used it to attack the Balancer Pool.
- Balancer Pool has said that it will add transfer fee tokens to a blacklist and review the protocol.
An attacker managed to steal a staggering $500k worth of Ethereum and other altcoins from a Balancer Pool.
Balancer Pools are automatic market makers that use algorithms to balance the amount of each crypto running through their systems. They keep the market liquid.
So, what happened? According to a write-up by 1inch Exchange, the hacker took out a flash loan and used it to attack the Balancer Pool.
Gone in a flash loan
Flash loans are loans that allow you to take out a lot of money for a very specific purpose. When you take out a flash loan, you do one thing, and then pay the loan back straight away.
In this case, the attacker took out a flash loan of 104,000 WETH from dYdX, according to 1inch. WETH is “wrapped ETH,” a version of ETH that can be traded directly for altcoins.
Then, the attacker swapped the WETH for STA tokens 24 times. STA tokens are Stratera tokens. STA is a deflationary token, meaning that 1% of the value of every transaction is burned.
"Taken separately, STA tokens and balancer pools are not vulnerable. But using STA tokens in a balancer pool leads to a vulnerability allowing to drain the pool," Clément Lesaege, CTO of Kleros, told Decrypt.
Because the attacker made so many trades, this STA quickly became near worthless. The hacker then swapped this near worthless STA for WETH.
Because of the way the Balancer Pool was set up, the pool released lots of WETH. The hacker used this tactic to obtain hauls of WBTC, SNX, LINK and COMP, too.
Finally, the hacker paid back their flash loan. Then, they used some of the near-worthless STA tokens to gain market share in the Balancer Pool—they didn’t need much STA to do this, because they’d drained the pool of funds. After some nefarious swaps, they took a whole load more money out of the smart contracts.
“The person behind this attack was [a] very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols,” wrote 1inch. “The attack was organized and well prepared in advance.”
Steven Zheng of The Block said in a tweet today that “Community members did warn the Balancer Labs team of potential exploits with these tokens three days ago - asking the team to blacklist them.”
Though Balancer delisted the protocol from their site prior to the exploit, they couldn't do so at the contract level, since they don't control those contracts, said Lesaege. "So delisting can have prevented people from adding money to the vulnerable pool, but it didn't lead to money which was already there to being removed," he said.
Could the attack have been prevented?
The team behind Balancer Pools said in a Medium post that “Although we were not aware this specific type of attack was possible, we have consistently in our docs, discord, and other channels warned about the unintended effects ERC20s with transfer fees could have in the protocol.”
Lesaege disagrees. "I don't think they understood the full implication of this bug," he said. "I don't think they expected that someone could, in one transaction, borrow a ton of money, trade multiple times (such that the small accounting errors accumulate), readjust the accounting ("gulping") to the real contract balance, making the internal price of STA near infinite, and then use a small amount of STA to buy the whole pool."
Lesaege told Decrypt that the issue was that STA marketed itself as an ERC20 token "while it isn't." The company Lesaege works for has a tool for verifying ERC20 tokens. Though he blames STA for, he alleges, falsely advertising themselves, "It's Balancer's fault to have trusted them on this for a long amount of time," he said.
Going forward, Balancer will add transfer fee tokens to a blacklist, write some more documentation explaining how this all work, and “continue to audit and review the protocol.”
Stani Kulechov, who runs another DeFi flash loans protocol, Aave, told Decrypt of the difficulties of designing complicated tokens and DeFi protocols. The token was designed "without taking into considerations such automated market-making liquidity pools and the attack vectors," he said. "Different types of scenarios have to be taken into account," he said, recognizing the weight of his own ambition.