- Yet another exploit was found in regard to an Open Finance protocol, after attackers already used it.
- This time the target were two Balancer protocol pools, which were drained of $450,000.
- This is the fifth large attack, although it seems to have resulted in the lowest amount stolen in 2020.
Yesterday, June 28th, an unknown attacker stole nearly half a million ($450,000) from two Balancer pools. Both pools supported multiple tokens, but they were centred around deflationary tokens, according to reports.
Details about the attack
The exploit only affected those pools that contained STONK and STA — deflationary tokens with transfer fees.
The attacker made quite a trek, getting a $23 million flash loan of ETH, which was then converted into WETH. Next, they used WETH to obtain STA, repeating this 24 times.
As a result, the attacker managed to completely drain STA balance, leading it to a 1% transaction fee, or 0.000000000000000001 STA.
With the balance so close to zero, the attacker was able to exchange it for other assets at a very low price. In total, the attacker managed to drain:
- 601.3 ETH ($134,800)
- 60,915 SNX ($110,900)
- 22,593 LINK ($102,800)
- 11.36 WBC ($103,500)
The attacker knew what they were doing
According to a report of the events issued by 1inch, the attacker had an extensive understanding and knowledge of how the top DeFi protocols work. They are likely a highly-sophisticated smart contract engineer.
The attacker also knew how to cover their tracks by using a mixer known as Tornado Cash to hide the origin of Ethereum used for deploying the contracts.
As for Balancer, it commented on the move, stating that it was unaware of this type of attack, or that it was even possible. However, it also warned about the deflationary tokens with transfer fees, stating that there are unintended effects.
Not only that, but it said that it will start adding such tokens to UI blacklist. The protocol also already went through two audits, and it is supposed to have a third one soon.
However, Balancer is far from being the only one affected by such attacks. In fact, this is the fifth high-profile attack when it comes to open finance protocols. They originally started in February, when two of them happened on the same day — February 15th. Back then, the attacker managed to drain over $1m from a lending protocol bZx.
Then, the dForce protocol lost as much as $25 million in April. However, the attacker suddenly had a change of heart, and they simply returned the funds for no apparent reason.