Hacker Drains $500K From DeFi Liquidity Provider Balancer

The sophisticated attack exploited a loophole that tricked the protocol into releasing $500,000 worth of tokens.

AccessTimeIconJun 29, 2020 at 11:12 a.m. UTC
Updated Aug 19, 2021 at 2:48 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

"We were not aware this specific type of attack was possible."

Decentralized finance (DeFi) liquidity provider Balancer Pool admitted early Monday morning it had fallen victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $500,000 worth of tokens.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • In a blog post, Balancer CTO Mike McDonald said the attacker had borrowed $23 million worth of WETH tokens, an ether-backed token suitable for DeFi trading, in a flash loan from dYdX. They then traded, against themselves, with Statera (STA), an investment token that uses a transfer fee model and burns 1% of its value every time it's traded.

    The attacker went between WETH and STA 24 times, draining the STA liquidity pool until the balance was next to nothing. Because Balancer thought it had the same amount of STA, it released WETH that equated to the original balance, giving the attacker a larger margin for every trade completed.

    As well as WETH, the attacker performed the same attack using WBTC, LINK and SNX, all against Statera tokens.

    The hacker's identity remains a mystery but analysts at 1inch exchange, a decentralized exchange aggregator, said the hacker had covered their tracks well: The ether used to pay transaction fees and deploy smart contracts was laundered through Tornado Cash, an Ethereum-based mixer service.

    "The person behind this attack was [a] very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols," 1inch said in its blog post on the breach.

    For its part, the team behind Statera batted away accusations that the protocol had either failed or been designed intentionally for this sort of attack to take place.

    "We deeply regret, apologize and sincerely extend our condolences to all the victims of this attack," Statera said in an official announcement.

    The project added that it was not in a position to be able to refund the attacker's victims.

    Balancer Pool will now begin blacklisting all transfer fee tokens, including Statera, McDonald said. As well as another audit, McDonald said the team would do more research into how the hack happened and whether similar vulnerabilities exist with other listed tokens.

    The attack could not have come at a worse time for Balancer, which only released its own "BAL" governance token last week.

    At press time, CoinGecko data shows BAL tokens trading at the $11 mark, down about 5% in the past 24 hours.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.



    Read more about