Balancer pools drained of more than $450,000 due to an exploit connected to deflationary tokens

DeFi • June 29, 2020, 3:21AM EDT
UPDATED: June 29, 2020, 9:32PM EDT
Partner offers
The Block may may earn a commission if you use our partner offers, at no extra cost to you.

Two multi-token pools on Balancer, an automated market maker protocol, were drained of ~$450,000 on June 29 by an attacker that specifically targeted pools containing so-called deflationary tokens.

The hacker conducted the attack in two separate transactions — one took place at 6:03 pm and the second one 30 minutes later 06:49 pm. Only pools with STA and STONK, deflationary tokens with transfer fees, were affected by this exploit. 

The attacker got a $23 million flash loan of ETH from dYdX, converted it to WETH, and started swapping WETH to STA back and forth — they repeated this 24 times. This allowed them to drain the STA balance in the pool all the way to 0.000000000000000001 STA as 1% transaction fee was subtracted on each trade. The STA balance was close to zero, which allowed the attacker to swap it for other assets in the pool very cheaply.

The attacker drained 601.3 ETH (~$134.8k), 11.36 WBTC (~$103.5k), 22,593 LINK (~$102.8k), and 60,915 SNX (~$110.9k). In total, the attacker got access to about $452,000.

DEX Aggregator 1inch said in their writeup that the attacker was “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.” The ETH that was used to deploy the smart contracts was mixed through Tornado Cash to hide the source.

Balancer said that they were not aware this specific type of attack was possible but allegedly warned about the unintended effects of deflationary tokens with transfer fees. It vouched to begin adding deflationary tokens to the UI blacklist similarly to what they have already done for no bool transfer tokens. The protocol added that it has already undergone two full audits and has had a third one planned.

This is the fifth high-profile attack on Open Finance protocols. The first two happened on February 15 as attackers drained the lending protocol bZx of more than $1 million. In April, the dForce protocol was drained of $25 million but the entire amount was returned by the attacker for still unknown reasons.

AUTHOR

Yogita Khatri profile picture Yogita Khatri

Yogita Khatri is a senior reporter at The Block and the author of The Funding newsletter. As our longest-serving editorial member, Yogita has been instrumental in breaking numerous stories, exclusives and scoops. With over 3,000 articles to her name, Yogita is The Block's most-published and most-read author of all time. Before joining The Block, Yogita wrote for CoinDesk and The Economic Times. You can reach her at [email protected] or follow her latest updates on X at @Yogita_Khatri5.

See More
Connect on

WHO WE ARE

The Block is a news provider that strives to be the first and final word on digital assets news, research, and data.

+ Follow us on Google News
Connect with the block on

More by Yogita Khatri