“We were not aware this specific type of attack was possible.”
Decentralized finance (DeFi) liquidity provider Balancer Pool admitted early Monday morning that it had fallen victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $500,000-worth of tokens.
In a blog post, Balancer CTO Mike McDonald said the attacker had borrowed $23 million-worth of WETH tokens, an ether-backed token suitable for DeFi trading, in a flash loan from dYdX. They then traded, against themselves, with Statera (STA), an investment token that uses a transfer fee model, and burns 1% of its value every time it’s traded.
The attacker went between WETH and STA 24 times, draining the STA liquidity pool until the balance was next to nothing. Because Balancer thought it had the same amount of STA, it released WETH that equated to the original balance, giving the attacker a larger margin for every trade they completed.
As well as WETH, the attacker performed the same attack using WBTC, LINK and SNX, all against Statera tokens.
The hacker’s identity remains a mystery, but analysts at 1inch exchange, a decentralized exchange aggregator, said they had covered their tracks well: the ether used to pay transaction fees and deploy smart contracts was laundered through Tornado Cash, an Ethereum-based mixer service.
“The person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols,” 1inch said in its blog post on the breach.
For its part, the team behind Statera batted away accusations that the protocol had either failed or been designed intentionally for this sort of attack to take place.
“We deeply regret, apologize and sincerely extend our condolences to all the victims of this attack,” Statera said in an official announcement.
The project added that it was not in a position to be able to refund the attacker’s victims.
Balancer Pool will now begin blacklisting all transfer fee tokens, including Statera, McDonald said. As well as another audit, McDonald said the team would do more research into how the hack happened and whether similar vulnerabilities exist with other listed tokens.
At press time, CoinGecko data shows BAL tokens trading at the $11 mark, down about 5% in the past 24 hours.
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.