29 June 2020

DeFi faces another high-profile attack as Balancer loses $500K

Balancer, a non-custodial portfolio manager and automated market maker, was drained of nearly half a million dollars from a sophisticated attacker that was able to exploit a bug in deflationary token pools. They were able to borrow $23 million through a flash loan on dYdX and convert to WETH which was continuously traded in the STA/STONK pool. By draining the balance of STA, its price relative to other tokens was extremely high allowing the attacker to swap for other assets at a much cheaper price.

Why it matters - Balancer has already been audited twice, however, this specific vulnerability was not found although the team has warned about the unintended consequences of deflationary ERC20 tokens. This goes to show that even by taking the necessary steps to prevent a hack, they are still possible and users would be aware of that risk. - Unlike the DForce attack that led to $25 million being returned, this attacker took steps to shield his identity and washed all his funds through Tornado Cash. This makes it unlikely that the funds will be returned and will leave Balancer in a deficit.

