New DeFi project “Balancer” which was launched only recently, already saw a hack that caused a $500K loss.
Initially, the Balancer protocol was launched with no native asset; an unusual event in crypto. The aim was to create a DeFi protocol that allowed individuals to pool their money into Balancer pools which can be composed of up to 8 different assets. These assets will then, via smart order routing, gain the current best interest on the market. In a way, a Balancer pool is similar to an index fund; but instead of paying fee, individuals get paid for adding liquidity.
Mike McDonald, the CTO of Balancer, released a blog post explaining that hackers were able to leverage a weakness of the protocol and steal funds from two pools. What these two pools had in common is that they contain tokens with transfer fees: STA and STONK. Below is how Mike McDonald explained the mechanism that the hackers used:
- Flash lend ETH from dYdX and convert to WETH
- Continuously trade WETH & STA in increasing quantities
- On each trade, STA has a transfer fee and the pool expects it receive a balance without the fee.
- After enough calls, the attacker calls gulp () which syncs the internal pool accounting of a token balance to the actual balance as stored in the token tracker contract
- Because the balance of STA is close to zero, its price relative to the other tokens is extremely high and the attacker can now use STA to swap for other assets in the pool extremely cheaply
The Aftermath Fix
To avoid such issues to happen again, the Balancer protocol will include transfer fee tokens in the “UI blacklist”. They’ll also explain the risks of the pools in a more exhaustive way to include this type of risk, as well as run a third audit for the protocol.