Hacker Drains $500K from DeFi Liquidity Provider Balancer

Monday 29 June 2020, 10:04 PM AEST - 4 months ago

https://www.shutterstock.com/image-photo/crumpled-money-on-deserted-road-leading-447979342

Decentralized finance (DeFi) liquidity provider Balancer Pool admitted early Monday morning that it had fallen victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $500,000-worth of tokens.

In a blog post, Balancer CTO Mike McDonald said the attacker had borrowed $23 million-worth of WETH tokens, an ether-backed token suitable for DeFi trading, in a flash loan from dYdX. They then traded, against themselves, with Statera (STA), an investment token that uses a transfer fee model, and burns 1% of its value every time its traded.

The attacker went between WETH and STA 24 times, draining the STA liquidity pool until the balance was next to nothing. Because Balancer thought it had the same amount of STA, it released WETH that equated to the original balance, giving the attacker a larger margin for every trade they completed.

As well as WETH, the attacker performed the same attack using WBTC, LINK and SNX, all against Statera tokens.

The hackers identity remains a mystery, but analysts at 1inch exchange, a decentralized exchange aggregator, said they had covered their tracks well: the ether used to pay transaction fees and deploy smart contracts was laundered through Tornado Cash, an Ethereum-based mixer service.

The person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols, 1inch said in its blog post on the breach.

For its part, the team behind Statera batted away accusations that the protocol had either failed or been designed intentionally for this sort of attack to take place.

We deeply regret, apologize and sincerely extend our condolences to all the victims of this attack, Statera said in an official announcement.

The project added that it was not in a position to be able to refund the attackers victims.

Balancer Pool will now begin blacklisting all transfer fee tokens, including S ...

Read full story on CoinDesk

Disclaimer: The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.