DeFi’s Balancer Pool Hacker Drains Funds Worth About $500k

DeFi platform Balancer’s multi-token pools were under attack after a hacker drained about $500k worth of funds. 

Sophisticated Smart Contract Engineer Behind The Hack?

Decentralized Finance [DeFi] has been in the news lately following the launch of two prominent governance tokens from lending protocol Compound Finance as well as decentralized exchange Balancer. Compound’s COMP token was the first to hit the market and still has the entire DeFi space under its dominance.

While Balancer was also seen doing well, the platform revealed a recent glitch that it experienced. Balancer Labs revealed that an attacker had drained funds worth of about $500,000 from two pools that sustained deflationary tokens. The tokens in these pools were STA and STONK tokens.

Pools with the aforementioned tokens with transfer fees were reportedly the only ones to be affected by the hack. The platform’s co-founder, Mike McDonald elaborated on the same in a recent blog post.

A hacker reportedly carried this out via two different transactions. The hacker acquired a loan of 23 million USD worth of Ether from decentralized borrowing and lending platform dYdX. WETH, as well as STA, was further traded continuously for about 24 times in extensive volumes, causing the STA balance in the pool to plummet to a low of 0.000000000000000001 STA. Each time WETH was converted into STA the Balancer Pool gained 1 percent less STA than the conventional amount.

1inch, a DEX aggregator elaborated on the same in his Medium post and stated,

“As the next step, the attacker swapped 1 weiSTA to WETH multiple times. Due to STA token transfer fee implementation, the pool never received STA but released WETH regardless. The same step was repeated to drain WBTC, SNX and LINK token balances from the pool.”

Even though Balancer wasn’t aware of the possibility of such an attack, the platform claims to have warned the users about the “unintended effects ERC20s with transfer fees could have in the protocol.”

1inch believes that the attack was carried out by a “sophisticated smart contract engineer” who had immense knowledge about the DeFi space and its protocols. The stolen funds were further transferred to the address, 0xBF675C80540111A310B06e1482f9127eF4E7469A.

Furthermore, Balancer suggested that the platform would be adding transfer fee tokens to the UI blacklist, more documentation pertaining to the working of the pools, and even concocted a 3rd audit that would take place before today.