Another Ethereum DeFi hack: Balancer Pools looses $500,000

  • Mike McDonald, CTO of Ethereum based DeFi protocol Balancer Pool, has confirmed that an attacker has succeeded in stealing funds worth $500,000.
  • The funds were stolen from 2 pools with the tokens STA and STONK after the attacker had taken out a flash loan with WETH.

The growth of Ethereum‘s DeFi sector in recent months has shown that investors have regained confidence after the “Black Thursday” in March, when the DeFi market collapsed. The growth in this sector had a direct positive impact on the ETH price. However, an attack on the protocol of the DeFi Balancer Pool could mean a major setback for investor confidence.

Ethereum DeFi hack: How was the $500,000 stolen?

As Mike McDonald, CTO of Balancer Pool, confirmed in a publication dated 28 June, the attacker managed to empty two pools of protocol transfer funds. The funds were stored in Statera (STA) and STONK tokens. McDonald described the events that led to the theft of $500,000.

First, the attacker took a flash loan in ETH from the dYdX protocol to turn them into 104,000 Wrapped Ethereum (WETH). Then, he continuously traded the WETH and STA tokens in increasing amounts. With each transaction, McDonald said, the pool with STA has a transfer fee, but expects to receive the balance not including the transfer fee. Balancer’s CTO continued with the following:

After enough calls, the attacker calls gulp() which syncs the internal pool accounting of a token balance to the actual balance as stored in the token tracker contract. Because the balance of STA is close to zero, its price relative to the other tokens is extremely high and the attacker can now use STA to swap for other assets in the pool extremely cheaply.

McDonald confessed that they were not aware of this specific vulnerability, but claims that they have issued ongoing warnings about possible “unintended effects” of transfer fees for ERC tokens. Users have received these warnings through Balancer Pool’s communication channels. McDonald stated that the permissionless nature of the protocol makes an attack by malicious actors always possible at the smart contract level.

In reaction to the hack, the Balancer Pool team will start adding the stolen funds to an address blacklist. They will also add more information about the risks of these attacks. Finally, Balancer Pool will start a new protocol audit process.

On the other hand, the 1inch team conducted an investigation that allowed them to determine not only the entire process used by the attacker, but also the address to which the funds were transferred: 0xbf675c80540111a310b06e1482f9127ef4e7469a. 1inch also stated the following:

The person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols. The attack was organized and well prepared in advance.

The attack followed a similar pattern to the bZx protocol in February of this year. At that time, the attacker also took a flash loan on the dYdX protocol worth 10,000 ETH. After moving the funds to other protocols, he managed to steal an estimated 2,300 ETH. The attack was mainly attributed to the oracle service used by bZx that was manipulated by the attacker for his benefit.

Last updated on