Balancer pools drained of more than $450,000 due to an exploit connected to deflationary tokens

DeFi • June 29, 2020, 3:21AM EDT
UPDATED: June 29, 2020, 9:32PM EDT
The Block

Two multi-token pools on Balancer, an automated market maker protocol, were drained of ~$450,000 on June 29 by an attacker that specifically targeted pools containing so-called deflationary tokens.

The hacker conducted the attack in two separate transactions — one took place at 6:03 pm and the second one 30 minutes later 06:49 pm. Only pools with STA and STONK, deflationary tokens with transfer fees, were affected by this exploit. 

The attacker got a $23 million flash loan of ETH from dYdX, converted it to WETH, and started swapping WETH to STA back and forth — they repeated this 24 times. This allowed them to drain the STA balance in the pool all the way to 0.000000000000000001 STA as 1% transaction fee was subtracted on each trade. The STA balance was close to zero, which allowed the attacker to swap it for other assets in the pool very cheaply.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The attacker drained 601.3 ETH (~$134.8k), 11.36 WBTC (~$103.5k), 22,593 LINK (~$102.8k), and 60,915 SNX (~$110.9k). In total, the attacker got access to about $452,000.

DEX Aggregator 1inch said in their writeup that the attacker was “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.” The ETH that was used to deploy the smart contracts was mixed through Tornado Cash to hide the source.

Balancer said that they were not aware this specific type of attack was possible but allegedly warned about the unintended effects of deflationary tokens with transfer fees. It vouched to begin adding deflationary tokens to the UI blacklist similarly to what they have already done for no bool transfer tokens. The protocol added that it has already undergone two full audits and has had a third one planned.

This is the fifth high-profile attack on Open Finance protocols. The first two happened on February 15 as attackers drained the lending protocol bZx of more than $1 million. In April, the dForce protocol was drained of $25 million but the entire amount was returned by the attacker for still unknown reasons.

About Author

Yogita Khatri is a senior reporter at The Block, covering all things crypto. As one of the earliest team members, Yogita has played a pivotal role in breaking numerous stories, exclusives and scoops. With nearly 3,000 articles under her belt, Yogita holds the records as The Block's most-published and most-read author of all time. Prior to joining The Block, Yogita worked at crypto publication CoinDesk and The Economic Times, where she wrote on personal finance. To contact her, email: [email protected]. For her latest work, follow her on X @Yogita_Khatri5.

More by Yogita Khatri