DeFi protocol Balancer loses $500K in hack

Getting your Trinity Audio player ready...

Balancer, a DeFi platform that provides non-custodial portfolio management, liquidity, and price sensor services, was hacked for around $450,000 on June 29.

How it happened

The Balancer hacker had an in-depth understanding of several DeFi platforms and used their knowledge of those platforms to conduct a hack with several moving parts. According to a blog post from Balancer CTO Mike McDonald, the hacker:

– took out a FlashLoan of 104k WETH from dYdX.

– used the funds from the FlashLoan to swap WETH for STA token on Balancer 24 times back and forth– every time the attacker swapped WETH to STA, the Balancer Pool received 1% less STA than was expected.

– After doing this 24 times, the attacker called gulp() which syncs the internal pool accounting of a token balance to the actual balance as stored in the token tracker contract.

– Because the attacker drained the balance of STA close to zero, its price relative to the other tokens was extremely high and the attacker used the STA to swap for other assets in the pool for an extremely low price.

Ultimately, this method allowed the hacker to steal 601.3 ETH ($134,114), 11.36 WBTC ($103,319), 2,593 LINK ($101,442), and 60,915 SNX ($110,865)—equal to roughly $449,740 at the time of writing.

Did Balancer know of this flaw?

According to some individuals, Balancer Protocol was aware that their protocol had this vulnerability. Twitter user @Hex_Capital claims that they (@Hex_Capital) made Balancer Protocol aware of the flaw on May 6. 

"Although we were not aware this specific type of attack was possible" – this is patently false @mikeraymcdonald @BalancerLabs. I submitted this exact attack vector to your bug bounty program on 5/6 and was denied payment. cc @defiprime @TheBlock__ @VitalikButerin @1inchExchange

— hexcapital.eth (@Hex_Capital) June 29, 2020

Hex_Capital says they submitted this bug to Balancer Protocol’s bug bounty program, but that Balancer refused to acknowledge the bug and pay Hex_Capital their bounty reward. 

@StateraProject pool was drained because Balancer Labs refused to acknowledge this critical vulnerability I alerted them about in MAY. This is a major issue in crypto today – creating bug bounty programs and then ignoring the results + refusing to pay out. We need to do better

— hexcapital.eth (@Hex_Capital) June 29, 2020

Hex_Capital goes on to say that this is a major problem in the digital currency community today: companies are releasing bounty programs but ignoring the bugs submitted to them and refusing to pay out the individual or team that discovered the flaw. 

DeFi is a prime target

This year, DeFi platforms have been a prime target for hackers. Individuals with a deep understanding of DeFi platforms are using their knowledge to exploit flaws in the platforms that allow them to make off with significant amounts of money. Earlier this year, DeFi platforms bZx and dForce were hacked for hundreds of thousands and millions of dollars, respectively. 

Given the recent increase in retail and institution interest—as well as capital flowing into—DeFi, there’s a good chance that more DeFi exploits will occur before the end of the year.