Hackers siphoned more than $450,000 in deflationary tokens on Monday from two multi-token pools on Balancer, an automated market maker protocol.
Two separate transactions were made within 45 minutes to exploit the STA and STONK pools with transfer fees.
The Most Diverse Audience to Date at FMLS 2020 – Where Finance Meets Innovation
First, the attacker received $23 million in flash loan from dYdX and then converted them to WETH, then started to repeatedly convert WETH to STA and vice versa for 24 times. With 1 percent transaction on each trade, almost all the STA balance in the pool was drained with only 0.000000000000000001 STA remaining.
According to the blockchain data, the attacker drained a total of around $452,000 in digital currencies – 601.3 ETH worth around $134,800; 11.36 WBTC valued at $103,500; 22,593 LINK worth $102,800; and 60,915 SNX worth around $110,900.
In an official statement, Balancer said that the protocol developers were not aware of the possibility of any such attacks.
“This is explicitly why STA was not included in the BAL mining whitelist that was recently put together,” the official Medium post read. “The system is designed for compliant ERC20’s and when tokens behave unintended ways, bad things can happen. Balancer is a permission-less protocol and broken or malicious tokens will always be able to be added at the contract level.”
A sophisticated smart contract engineer
DEX Aggregator 1inch in a post stated that the hacker “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.”
The DeFi ecosystems saw exponential growth recently, with a total locked-in value of around $1.63 billion in various platforms, according to DeFi Pulse. But attacks on such platforms also increased. bZx and dForce, two leading DeFi platforms were attacked earlier this year, showing the vulnerability of these platforms.
These platforms are also vulnerably to sharp market movement as one almost collapsed the Maker protocol.