An unknown attacker has stolen around $500,000 worth of tokens from decentralized finance (DeFi) liquidity provider Balancer Pool, the firm said in a blog post on 29 June.
According to the announcement, the bad actor used a sophisticated hack to exploit a loophole in the Balancer protocol, which tricked it into releasing $500,000 worth of tokens. It all began at 6 PM UTC on Sunday, when the attacker borrowed around $23 million worth of WETH tokens, an ETH-backed token suitable for DeFi trading, in a flash loan from dYdX.
The attacker then exploited Statera (STA), an investment token which burns 1% of the value of each transaction, and started exchanging back and forth between WETH and STA. He did this 24 times, and because the Balancer Pool contract only kept track of the token balance, every time a swap was made between WETH and STA, the pool received 1% less STA than expected.
The hacker then called a function that updates the price based of the current pool balance, and since the STA side was almost empty, its price was suddenly at a huge premium. He then used 1 weiSTA (one billionth of a token) to swap for WETH multiple times, and since STA token transfers have a fee implementation, the pool never received the tokens, but still released the WETH. The same method was used to drain Wrapped Bitcoin (WBTC), Chainlink (LINK) and Synthetix (SNX) tokens from the platform.
An analysis of the incident, conducted by the 1inch.exchange team, noted that the hacker was able to cover his tracks well. The hacker used ether that was laundered through Tornado Cash, an Ethereum-based mixer, in order to pay for transaction fees and deploy smart contracts.
The 1inch.exchange blog post reads:
“The person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols. The attack was organized and well prepared in advance.”
The Statera team also published a blog post covering the incident, in which they disagreed with claims that the protocol had failed, or that it was intentionally designed for this kind of an attack.
Statera further said:
“STATERA TOKEN CONTRACT is fully audited by a verified third party, our code was not exploited in this attack. Our ship is tight, and we have no leaks. We remain committed to our code and our token.”