Hacked Balancer platform promises to refund users who lost funds

Balancer protocol, the DeFi platform that was exploited for roughly $450,000 on June 29, has announced that it will be reimbursing the liquidity providers who lost funds due to the hack.

“All the users who lost funds in this attack will be reimbursed with the exact balance in each of the pooled tokens that their BPT (pool shares) would entitle them at the moment immediately before the attack,” said Balancer Labs CEO Fernando Martinelli. “The reimbursement of the deflationary tokens that made the attack possible, STA and STONK, will be made by their respective teams. The reimbursement of the other tokens by Balancer Labs will happen as soon as possible, though we cannot promise any hard dates as the operational details must still be figured out.” 

Balancer says they will be replacing all of the tokens lost during the exploit, except for the deflationary tokens STA and STONK, which will be reimbursed by their respective teams. This means that Balancer will be reimbursing liquidity providers who lost ETH, WBTC, LINK, and SNX during the attack.

Balancer Labs knew this could happen

Balancer acknowledged that they knew the Balancer protocol was susceptible to the exact attack that took place.

On May 6, Ankur Agrawal—Twitter user @Hex_Capital—warned Balancer Labs that this type of attack could take place. Agrawal submitted a report detailing the attack to Balancer Labs’ bug bounty program, but at the time, Balancer Labs refused to pay Agrawal a bounty reward for reporting the bug because they did not believe it was a practical attack. 

“The bug bounty report describes in detail the attack that happened. Our team however did not think it would be a practical attack because of the enormous amounts of funds and also gas we thought would be required for bringing the balance of the deflationary token to near 0 in a single atomic transaction…We sincerely apologize to Ankur Agrawal (Hex_Capital) who submitted the report and will award them the maximum amount available in our current bug bounty.”

Balancer acknowledged that they were aware of this attack vector, apologized to Agrawal for not initially paying him a bounty reward, and announced that they will be paying Agrawal the maximum bounty amount since he was right all along.

Don’t expect reimbursement for future attacks

Just because Balancer Labs will be reimbursing their liquidity providers this time around, it does not mean they will do the same if an attack takes place in the future. 

“Balancer Labs will only reimburse the losses of liquidity providers in this attack because we believe we could and should have done better in avoiding this, given the context of the bug bounty report we received prior to the attack,” according to the announcement.

Balancer Labs has made it clear that the only reason they will be reimbursing any of the parties affected by the June 29 exploit is because they knew the attack vector, yet, did not make any improvements to their platform to protect against the attack.

Balancer says they hope to have a detailed plan regarding the reimbursement program released by the end of the week. 

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.