Decentralized finance liquidity provider (DeFi) Balancer Pool admitted to having recently been the victim of a sophisticated hack that exploited a quibble in the procedure to trick the protocol and withdraw tokens for $ 500.000. "We didn't know that this specific type of attack was possible." He said.
The complex theft procedure
Balancer CTO Mike McDonald said in a post that the hacker had borrowed $ 23 million worth of WETH tokens, an ether-backed token suitable for DeFi trading, in a flash loan from dYdX.
He then traded it for Statera (STA), an investment token that uses a transfer fee model whereby 1% of its value is lost each time it is traded.
The attacker carried out the exchange between WETH and STA 24 times, emptying the STA liquidity pool until the balance was almost zero. Since Balancer thought he had the same amount of STA, he released WETH in quantities equivalent to the original balance, giving the hacker a larger margin for each completed transaction. In addition to WETH, he performed the same attack using WBTC, LINK and SNX, all exchanged for Statera tokens.
The hacker would be "a very sophisticated smart contract engineer" according to 1inch
The identity of the hacker remains a mystery, but analysts of the exchange 1Inch, a decentralized exchange aggregator other than Bitcoin system, said the hacker covered their tracks well: the ether used to pay transaction fees and distribute smart contracts was recycled through Tornado Cash, an Ethereum-based mixer service.
"The person behind this attack is a very sophisticated smart contract engineer with vast knowledge and understanding of the main DeFi protocols," said 1inch in his post in which he talks about the theft.
For its part, the team behind Statera dismissed allegations that the protocol was flawed or intentionally designed for this type of attack. "We are deeply sorry, and we sincerely apologize to all the victims of this attack," Statera said in an official announcement.
The project added that it is unable to reimburse the victims affected by the hacker. Balancer Pool will now begin blacklisting all transfer fee tokens, including Statera, said McDonald. In another audit, McDonald said the team will do further research on how the hacking occurred and whether similar vulnerabilities exist with other tokens listed.
The attack could not have come at a worse time for Balancer, who released his "BAL" governance token last week. As of press time, CoinGecko data show that BAL tokens are trading at the $ 11 level, down about 5% in the past 24 hours.
