A new hacking attack has recently been carried out against a DeFi protocol. Was Balancer, than reported immediately to users of the ongoing attack.
On the incident with non-standard ERC20 deflationary tokens today.https: //t.co/xgYxBTDVvK
– Balancer Labs (@BalancerLabs) June 29, 2020
For those who are not familiar with this project, this is a protocol for managing non-custodial funds, a liquidity provider and a price sensor, and its strong point is the Pool Balancer, which is an AMM (Automated Market Maker) that allows you to manage the portfolio, the group and the price of the token.
Balancer Pool allows you to receive fees from those who are part of the same group taking advantage of arbitration opportunities. The protocol launched on the mainnet only last week.
From what can be learned from Balancer's official statement, the attack took place against 2 groups containing 2 different tokens, Statera (STA) and Stonk.
These funds have been Exhausted: we are talking about more than Half a million dollars.
The hack was carried out using an interesting technique and, before executing the attack, they used Tornado Cash so that it was impossible to trace where the funds came from.
Here is the hack story:
- Flash lends ETH from dYdX and converts to WETH.
- Continuous trade of WETH and STA in increasing quantities
- In each operation, STA has a transfer fee and the group expects you to receive a balance without the fee.
- After enough calls, the attacker calls gulp (), which synchronizes the internal group accounting of a token balance with the actual balance as stored in the token tracker contract.
- Because STA's balance is close to zero, its price relative to the other tokens is extremely high, and the attacker can now use STA to exchange other assets in the pool extremely cheaply.
Balancer stated that while this was obviously not to be expected, the team had considered that such tokens would create problems and were in fact not included in the recent BAL mining pool.
Balancer will now add the addresses involved in the hack to a blacklist and will provide users with more documentation on the possible risks that these tokens may involve. In fact, it is not so much the protocol that is not secure, but how these tokens were designed. In addition, the team will schedule a third protocol audit.
Whose fault was the hacking of Balancer?
According to several users that commented the news, Balancer should be blamed because the mistake was not only ignored, but no one was compensated by the rewards program to discover possible mistakes.
This claim was confirmed by the co-founder and CTO of Balancer, Mike McDonald, who justified himself saying that flash loans were not yet available.
As innovative as it is, decentralized finance (DeFi) has suffered a again an attack which has resulted in a great loss of funds.
The tokens involved have suffered a price reduction of 75% for STA and 98% for STONK.