DeFi protocol Balancer loses $500K in hack

Balancer, a DeFi platform that provides non-custodial portfolio management, liquidity, and price sensor services, was hacked for around $450,000 on June 29.

How it happened

The Balancer hacker had an in-depth understanding of several DeFi platforms and used their knowledge of those platforms to conduct a hack with several moving parts. According to a blog post from Balancer CTO Mike McDonald, the hacker:

– took out a FlashLoan of 104k WETH from dYdX.

– used the funds from the FlashLoan to swap WETH for STA token on Balancer 24 times back and forth– every time the attacker swapped WETH to STA, the Balancer Pool received 1% less STA than was expected.

– After doing this 24 times, the attacker called gulp() which syncs the internal pool accounting of a token balance to the actual balance as stored in the token tracker contract.

– Because the attacker drained the balance of STA close to zero, its price relative to the other tokens was extremely high and the attacker used the STA to swap for other assets in the pool for an extremely low price.

Ultimately, this method allowed the hacker to steal 601.3 ETH ($134,114), 11.36 WBTC ($103,319), 2,593 LINK ($101,442), and 60,915 SNX ($110,865)—equal to roughly $449,740 at the time of writing.

Did Balancer know of this flaw?

According to some individuals, Balancer Protocol was aware that their protocol had this vulnerability. Twitter user @Hex_Capital claims that they (@Hex_Capital) made Balancer Protocol aware of the flaw on May 6. 

Hex_Capital says they submitted this bug to Balancer Protocol’s bug bounty program, but that Balancer refused to acknowledge the bug and pay Hex_Capital their bounty reward. 

Hex_Capital goes on to say that this is a major problem in the digital currency community today: companies are releasing bounty programs but ignoring the bugs submitted to them and refusing to pay out the individual or team that discovered the flaw. 

DeFi is a prime target

This year, DeFi platforms have been a prime target for hackers. Individuals with a deep understanding of DeFi platforms are using their knowledge to exploit flaws in the platforms that allow them to make off with significant amounts of money. Earlier this year, DeFi platforms bZx and dForce were hacked for hundreds of thousands and millions of dollars, respectively. 

Given the recent increase in retail and institution interest—as well as capital flowing into—DeFi, there’s a good chance that more DeFi exploits will occur before the end of the year.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.