Decentralized finance (Decentralized Finance (DeFi) is a term that is being used to describe the world of financial services that are increasingly… More) had its best week to date last week, but that rapid growth only attracts more shady operators seeking to exploit vulnerabilities in these nascent systems.
DeFi markets are still riding high from a wild week which saw total value locked across the industry hit an all-time high of $1.65 billion. The move has been largely catalyzed by token distribution incentives to encourage liquidity farming by Compound Finance and Balancer.
The latter found itself reeling from an attack over the weekend, which purportedly resulted in the loss of half a million dollars in.
Balancer Pools Targeted
On Sunday, reports emerged on crypto twitter that the Balancer Pool has been the victim of this latest digital incursion. One of the first to report the incident was researcher Steven Zheng who tweeted;
Apparently someone drained a Balancer Pool made up of WETH and STA and got away with $500k worth of WETH.
Balancer confirmed the incident, adding more details which stated that an attacker was able to drain funds from two pools that contained tokens with transfer fees, often referred to as deflationary tokens.
Decentralized exchange aggregator 1inch also shed light on the situation explaining that the attacker used a smart contract to automate multiple actions in a single transaction.
The arbitrage attack was made possible due to the structure of Balancer Pools which are multi-dimensional automatic market makers (AMM). They contain multiple assets and keep them balanced in certain proportions by creating arbitrage opportunities for swapping any assets by forming prices with a special formula.
The attack began with a flash loan of 104 wrapped Blockchain is a digital ledger that’s used for storing data on several servers across the world in a decentralized, trustless… More (wETH) from DeFi platform dYdx. Wrapped Ethereum is a tradable version of ETH for other ERC-20 tokens on decentralized platforms.
A flash loan is effectively when someone exploits a smart contract to borrow crypto assets with no collateral and then pays them back in the same transaction. Between borrowing and repaying, the attacker can exploit other DeFi protocols, lending platforms, DEXes, and smart contracts to take advantage of low liquidity markets to net a tidy profit.
In this case, the funds were used to swap wETH to the STA token back and forth 24 times, which drained the STA balance from the pool. STA, or Statera, works on a deflationary algorithm which is designed to ensure that for every transaction, 1% of the amount transacted is destroyed.
On each trade, STA has a transfer fee and the pool expects it to receive a balance without the fee. Every time the attacker swapped wETH to STA, the Balancer Pool received 1% less STA than was expected, which subsequently drained it.
The attacker then engaged in further token swapping to drain wrapped(wBTC), Synthetix (SNX), and Chainlink (LINK) token balances from the pool before repaying the flash loan. The amount of wETH stolen in the attack was reportedly $500,000. According to Coingecko, STA prices dumped 90% at the time of the attack.
The DEX added that the perpetrator knew what they were doing and the attack was well planned.
The person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols. The attack was organized and well prepared in advance.
Balancer stated that they would be adding transfer fee tokens to the UI blacklist and creating more documentation around the risks of how the pools work, and how broken or maliciously designed tokens can potentially drain assets from a pool,
Balancer has undergone 2 full audits and already has a 3rd planned (before today) that will be starting shortly. We will continue to audit and review the protocol.
According to Hex Capital [@Hex_Capital], the vulnerability was already known about following a claim that it was submitted to a bug bounty back in May:
@StateraProject pool was drained because Balancer Labs refused to acknowledge this critical vulnerability I alerted them about in MAY. This is a major issue in crypto today – creating bug bounty programs and then ignoring the results + refusing to pay out. We need to do better.
Balancer Labs co-founder, Mike McDonald [@mikeraymcdonald], replied with an apology adding that the flash loan exploit enabled the attack to take place:
To clarify, the submitted report was about trading a pool and slowly decreasing the pools balance vs internal balance which we were aware of and why warnings existed. Today worked because of flashlending. That is my fault and I apologize for not taking more time to review.
More DeFi Exploits
It would be inaccurate to call this incident a ‘hack’ as it was more of an exploitation of the system which had clear vulnerabilities. It is not the first for the budding DeFi industry, and it will most likely not be the last.
Earlier this month, vulnerabilities in the Bancor DeFi platform resulted in the loss of funds. Around $460,000 in tokens were apparently drained from the protocol following a smart contract upgrade. Bancor stated that the smart contract was audited and confirmed that user funds were safe.
Flash loans were used earlier in the year in what has been one of the biggest DeFi breaches to date. The bZx DeFi protocol saw just under $1 million stolen in what was labeled an ‘oracle manipulation attack’ where two separate occurrences enabled malicious actors to exploit the system.
Compound Finance founder, Robert Leshner [@rleshner] advised caution for adding assets to DeFi protocols,
This is why you need to understand the nuance of each asset you add to a protocol. The same oversight brought down lendFme. Please #DeFi be more cautious.
At the time of writing there had been no exodus from DeFi protocols and the total value locked was still close to its all-time high according to DeFi Pulse. Balancer had slipped back down the charts to the fourth position, however, collateral on the platform was also still close to its all-time high at around $120 million.
Do you want to Be In Crypto?Join our Telegram Trading Group for FREE Trading Signals,a FREE Trading Course for Beginners and Advanced Tradersand a lot of fun!
Images courtesy of Shutterstock, TradingView and Twitter.
Disclaimer. Read MoreRead Less
As a leading organization in blockchain and fintech news, BeInCrypto always makes every effort to adhere to a strict set of editorial policies and practice the highest level of journalistic standards. That being said, we always encourage and urge readers to conduct their own research in relation to any claims made in this article.
This article is intended as news or presented for informational purposes only. The topic of the article and information provided could potentially impact the value of a digital asset or cryptocurrency but is never intended to do so. Likewise, the content of the article and information provided within is not intended to, and does not, present sufficient information for the purposes of making a financial decision or investment. This article is explicitly not intended to be financial advice, is not financial advice, and should not be construed as financial advice. The content and information provided in this article were not prepared by a certified financial professional. All readers should always conduct their own due diligence with a certified financial professional before making any investment decisions.
The author of this article may, at the time of its writing, hold any amount of Bitcoin, cryptocurrency, other digital currency, or financial instruments — including but not limited to any that appear in the contents of this article.