The Balancer automated market maker protocol has been hacked for over $500,000 in a single Ether (ETH) transaction, facilitated as soon as once more by a dYdX flash mortgage.
As analyzed by the 1inch.alternate group a number of hours after the incident, a rigorously crafted transaction taking greater than eight million gasoline, or about two thirds of an Ethereum block, stole over $500,000 in Ether, Wrapped Bitcoin (WBTC), Chainlink (LINK) and Synthetix (SNX) tokens.
Profiting from programmed burn
Timestamped at 6 PM UTC on Sunday, the transaction begins with a flash mortgage from dYdX for 104,000 ETH, or about $23 million.
The exploit relied on Statera (STA), a deflationary token the place 1% of each transaction is mechanically burned. Balancer’s good contracts appear to have didn’t account for this, thus anticipating that every transaction could be for the total quantity.
The hacker exploited this by exchanging backwards and forwards between Statera and Ether 24 occasions. At every step, the STA steadiness obtainable to the contract diminished by 1%, however the good contract didn’t account for this. Thus, the value of STA remained steady regardless of the dwindling provide.
As famous by Balancer’s disclosure, on the finish of this process the attacker known as a operate that up to date the value primarily based on the efficient pool steadiness. For the reason that STA facet was empty, it was immediately priced at an enormous premium.
The hacker used a “weiSTA,” or one billionth of a token, to swap for different belongings on the platform, together with ETH, BTC, LINK and SNX. Because of the burn mechanism, the weiSTA was by no means really exchanged, which allowed the hacker to carry out the switch a number of occasions till all STA swimming pools have been dried.
They then exchanged the rest of the STA to Balancer Pool tokens and cashed them out to Ether with Uniswap.
Safety practices known as into query
The Balancer group is being accused by a safety researcher and the STA group for ignoring a bug report submitted virtually two months earlier than. Balancer’s CTO, Mike McDonald, confirmed the existence of the report, claiming that the difficulty outlined in it was basically unexploitable and blaming flash loans for the incident. It’s price noting that any exploit made potential by a flash mortgage can be susceptible to hackers with important funds.
In a subsequently deleted tweet, McDonald seems to have taken accountability for the bug.
Cointelegraph obtained screenshots from the STA group that additional counsel that Balancer was keenly conscious of the difficulty with transfer-fee tokens like Statera simply days earlier than the incident.
Whereas Balancer took precautions with the STA pool by not together with it within the liquidity mining program, it’s unclear why the difficulty was not fastened at a sensible contract stage. On the similar time, the protocol is permissionless and anybody can add new swimming pools at their very own threat. This is able to be much like an incident that occurred on Uniswap throughout the dForce hack, the place a pool created towards the group’s recommendation was concurrently hacked.
The Statera group nonetheless believes the dangers weren’t adequately disclosed, with a consultant saying:
“The one warning they’ve is on their web site which means that the venture is in beta and all funds are in danger.”
Whereas Balancer documentation does point out dangers for Statera-like tokens, they solely contain “arbitrage alternatives.” The Statera consultant mentioned that “[we] would not have gone with Balancer if we knew we have been in danger for such an assault.”
Cointelegraph reached out to Balancer to be taught extra, however didn’t instantly obtain a response.