Ethereum-based market-making protocol Balancer has announced that it will compensate users who lost their tokens in a protocol attack associated with two deflationary tokens.
The protocol operator will also reward Ankur Agrawal of Hex Capital, "the maximum amount" available in its current bug bounty program, since he flagged the bug to the Balancer team on May 6.
"The bug bounty report by [Agrawal] describes in detail the attack that happened. Our team however did not think it would be a practical attack because of the enormous amounts of funds and also gas we thought would be required for bringing the balance of the deflationary token to near 0 in a single atomic transaction," said Balancer.
Previously, Balancer had declined to pay out a bug bounty because "they determined that it was not a critical bug," Agrawal told The Block. Balancer CEO Fernando Martinelli also admitted in a newly published blog post that the team made a mistake thinking that the bug Agrawal flagged was not a practical attack.
"The bug bounty report describes in detail the attack that happened. Our team however did not think it would be a practical attack because of the enormous amounts of funds and also gas we thought would be required for bringing the balance of the deflationary token to near 0 in a single atomic transaction," Martinelli stated.
However, what the Balancer team did not account for is flash loans, or loans that need to be paid back within one transaction. The attacker was able to take out flash loans from dYdX to fund the series of transactions required for this attack.
The attack itself took advantage of the fact that deflationary tokens STONK and STA both charge transfer fees when trading. At the same time, their associated Balancer pools do not immediately account for those fees. It means that the pool balance will show more STONK or STA than the actual number, leaving attackers opportunities to respectively trade STONK and STA, incurring transfer fees and thus draining the two tokens.
When there were very few tokens left in the pools, the attackers called a function to sync the displayed balance of the pools with the actual balance, resulting in a sharp drop in STONK and STA supplies and pushing up their prices against other assets they paired with. Attackers could then swap for these other tokens with a small amount of STONK and STA to cash out.
Balancer is expected to announce details of its reimbursement process by the end of the week.