Last Updated on 30/07/2020 by TheDigitalHacker
DeFi or Decentralized Finance Liquidity provider; Balancer tool admitted on June 29, 2020, early morning that it had fallen victim to a sophisticated hack. The hacker has exploited a loophole, tricking the protocol into releasing Tokens worth $500,000.
In a blog post by the CTO of Balancer, where he stated that the hacker had borrowed $23 million worth of WETH tokens, a token backed by ether which is compatible for DeFi trading, in a flash loan from dYdX. These hackers then traded with themselves with Statera (STA), which is an investment token that is used to transfer a fee model and burns 1% of its value whenever it is traded.
The hacker traveled 24 times in between WETH and STA, which drained the STA liquidity pool to nil. Balancer at this time thought it had the same amount of STA, it released the WETH, which were equal to the original balance, thus giving the attacker a large margin on every trade which was completed.
The attacker, after this, also performed similar attacks on WBTC, LINK, and SNX all against STA.
Who was the attacker?
The identity is yet not revealed and remains a mystery though some analysts at the 1-inch exchange said that the hacker had covered the tracks very well. The ether that was used to pay the transaction fees and deploy smart contracts came through Tornado Cash, an Ethereum-based mixer service.
“The person behind this attack was [a] very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols,” said 1 inch its blog post.
After this attack, the team behind STA tried to dodge the accusations that the protocol either failed or was designed in such a fashion so that such an attack could take place.
Apology to the clients
“We deeply regret, apologize and sincerely extend our condolences to all the victims of this attack,” Statera said in an official announcement.
The project even added that currently, it is not in any position to refund the victims of the attack.
Further steps
Balancer Pool will now blacklist all transfer fee tokens, including Statera, McDonald said. As well as another audit, McDonald noted that the team would do more study into how the hack happened and whether similar vulnerabilities exist with other listed tokens and how to rectify them to prevent such attacks in the future.
