DeFi Protocol Loses $500K Due To Hack

  • The attack exploited a loophole that tricked the protocol into releasing $500,000 worth of tokens.
  • In order to hide his tracks, the hacker used ether that was laundered through Tornado Cash, an Ethereum-based mixer.

Illustration by Freepik

An unknown attacker has stolen around $500,000 worth of tokens from decentralized finance (DeFi) liquidity provider Balancer Pool, the firm said in a blog post on 29 June.

According to the announcement, the bad actor used a sophisticated hack to exploit a loophole in the Balancer protocol, which tricked it into releasing $500,000 worth of tokens. It all began at 6 PM UTC on Sunday, when the attacker borrowed around $23 million worth of WETH tokens, an ETH-backed token suitable for DeFi trading, in a flash loan from dYdX.

The attacker then exploited Statera (STA), an investment token which burns 1% of the value of each transaction, and started exchanging back and forth between WETH and STA. He did this 24 times, and because the Balancer Pool contract only kept track of the token balance, every time a swap was made between WETH and STA, the pool received 1% less STA than expected.

The hacker then called a function that updates the price based of the current pool balance, and since the STA side was almost empty, its price was suddenly at a huge premium. He then used 1 weiSTA (one billionth of a token) to swap for WETH multiple times, and since STA token transfers have a fee implementation, the pool never received the tokens, but still released the WETH. The same method was used to drain Wrapped Bitcoin (WBTC), Chainlink (LINK) and Synthetix (SNX) tokens from the platform.

An analysis of the incident, conducted by the 1inch.exchange team, noted that the hacker was able to cover his tracks well. The hacker used ether that was laundered through Tornado Cash, an Ethereum-based mixer, in order to pay for transaction fees and deploy smart contracts.

The 1inch.exchange blog post reads:

“The person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols. The attack was organized and well prepared in advance.”

The Statera team also published a blog post covering the incident, in which they disagreed with claims that the protocol had failed, or that it was intentionally designed for this kind of an attack.

Statera further said:

“STATERA TOKEN CONTRACT is fully audited by a verified third party, our code was not exploited in this attack. Our ship is tight, and we have no leaks. We remain committed to our code and our token.”

Discussion
Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM
unlock

Shutterstock

Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
Kroll Data Breach Compromises FTX, BlockFi Customer Information
  • A cyber security incident at bankruptcy service provider Kroll has resulted in the exposure of “non-sensitive” customer data for claimants involved in the FTX and BlockFi cases.
  • Both companies confirmed that account passwords, systems, and funds remained safe, but warned customers to be on the lookout for phishing scams.