Last June 28, an attacker drained over $500,000 worth of funds from several Balancer Pools. As it turns out, Balancer Labs knew about the possibility of the attack but thought that it was too unfeasible to pull off. They were wrong so now they have to pay up all the affected liquidity providers.
How the Balancer Hack Happened
The hacker utilized a smart contract to create multiple commands in one transaction. First, the culprit got a FlashLoan of 104,000 WETH from dYdX. The WETH was then swapped with STA tokens back and forth 24 times, draining the STA balance to near 0.
The reason this was possible was that STA tokens have a deflationary model with a transfer fee of 1% while the Balancer Pool contract keeps track of all token balances.
Next, the hacker swapped 1 weiSTA (0.000000000000000001 STA) to WETH multiple times. The pool did not receive any STA because of the transfer fee implementation. However, the WETH was still released.
The same procedure was replicated to drain WBTC, LINK, and SNX balances from the pool. All the stolen funds were sent to this address 0xbf675c80540111a310b06e1482f9127ef4e7469a.
How It Could Have Been Avoided
Crypto investment firm Hex Capital claimed that they had submitted the exact vulnerability that caused the hack back in May 6 during the Balancer Lab Bug Bounty Program. Unfortunately, Balancer Labs didn’t heed their advice and are now facing the consequences.
After Hex Capital made their bug bounty submission public, Balancer responded with a blog post explaining their side of the story along with an apology.
The post later added that despite being aware of the possibility of the attack, they didn’t think it would be a “practical attack” due to the astronomical amount of funds and gas required to fully execute. They admitted that they were at fault and apologized both to Ankur Agrawal of Hex Capital and all the users affected by the hack.
On a positive note, Hex Capital did a tremendous job, sharing their bug bounty submission, which may or may not have forced Balancer Labs’ hand in reimbursing users. They also made it clear that this doesn’t mean that future losses from hacks will be reimbursed.
Ankur Agrawal was also paid with the maximum reward available in the current bug bounty program.