Decentralized finance (DeFi) liquidity providing platform Balancer was hacked today, reportedly with USD 500,000 worth of crypto stolen.
Following several reports online, Balancer confirmed that on June 29 an incident occurred, affecting two pools containing transfer fees, known as deflationary tokens.
Their report provided steps for how this was done, entailing taking a flash loan in ethereum (ETH) from the non-custodial exchange dYdX, converting them to WETH (Wrapped Ethereum), trade more of this WETH and STA tokens, draining the STA balance from the pool, and as the balance is close to zero, “its price relative to the other tokens is extremely high and the attacker can now use STA to swap for other assets in the pool extremely cheaply,” said the platform. This report didn’t explicitly say how much money was stolen, providing a contract explorer instead.
The 1inch exchange also put out a report, saying that, following a number of complex steps, “due to STA token transfer fee implementation, the pool never received STA but released WETH regardless. The same step was repeated to drain WBTC, SNX and LINK token balances from the pool.” All in all, they write, the attacker took out more than USD 500,000, transferring it to this address, which currently holds ETH 601 (c. USD 134,000).
The report mentions swapping to get an asset close to 0. I didn’t take into account flash lending and figured a 1% transfer fee would be impossible to get anywhere close to that level on normal swaps (that get more expensive each trade). Again I’ll take full responsibility here
— Mike McDonald (@mikeraymcdonald) June 29, 2020
1inch writes that “the person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols”, and that “the attack was organized and well prepared in advance.”
SetProtocol product marketing manager Anthony Sassano argued that, given that ETH mixer Tornado Cash was used to fund the first wallet, “DeFi attackers are getting more sophisticated and creative.”
more evidence for the hypothesis that the more liquidity in mixers, the more the addressable market for exploits and hacks increases
— nic carter (@nic__carter) June 29, 2020
Others wonder if there was some foul play involved. “That sounds really negligent, almost like it could have been on purpose,” said ‘rahul8658’ on the Reddit thread. “Exit scam with plausible deniability?,” asked ‘Ethereum Customer Support’ on Twitter.