The Ethereum-based DeFi protocol, Balancer, was hacked by a hacker after discovering a vulnerability that allowed them to steal more than $500.000 in two transactions in several tokens managed by the platform.
For a few weeks now, the decentralized finance ecosystem (DeFi) has experienced incredible growth, all thanks to the ability to allow users a better way to manage their assets. Furthermore, DeFi also provides the opportunity to generate income and profits through liquidity pools that are used by various platforms, and that users can take advantage of to offer or request loans and receive rewards through the interest generated by the freezing of their tokens.
However, despite the growing usage and trust in DeFi, it is clear that developers still need to work on the security of these protocols. Recently the platform for DeFi based on Ethereum, Balancer, was the victim of an attack by a hacker who managed to steal $500.000 (€444.775) in assets from the platform.
The attack was discovered by 1inch.exchange which he pointed out in a publication that the hacker was able to find a vulnerability in the Automatic Multidimensional Markets (AMM) who uses the platform.
It may interest you: DeFi experiences surprising growth after the arrival of Compound in this Ethereum ecosystem
Attacks on the DeFi Balancer platform
1inch.exchange reports that the hacker used a Smart contract (smart contract) in which it automated several of the actions to be performed in a complex transaction, then sent the transaction to the Ethereum main network with which it caused the attack on two of Balancer's liquidity pools.
For its part, a few hours later Balancer confirmed the attack by publishing a article where he explained more details of what happened. As explained Mike mcdonald, CTO of Balancer Pool, the hacker was able to withdraw the funds in tokens STA y STONK in two of the liquidity pools managed by the protocol.
The description of the attack states that, first, the hacker gained access to a loan Flash Loan on Ethereum from the decentralized platform dYdX. Once he obtained the ETH, he converted them into the token wETH. The flash loan that the hacker obtained was 104.000 ETH, equivalent to about $20,4 million based on the value of Ethereum at the time of this publication.
It should be noted that Flash loans or flash loans consist of loans that are made without collateral, using a smart contract to obtain the assets and then pay the loan in the same transaction. It may sound like a flaw in any system, but no, they are a functionality that many DeFi protocols have begun to use. However, these flash loans have in the past shown to have some vulnerabilities in some protocols. This allowed hackers to exploit the flash loan smart contract and keep the funds without returning them. Through this attack, the hacker can exploit other existing vulnerabilities in other protocols, exactly as happened in Balancer.
This time the Balancer hacker did was exchange the funds available in ETH to the wETH token. Then he exchanged wETH for the token STA (Statera), performing this exchange repeatedly until completing 24 exchanges with the same tokens. Once this routine was carried out, the hacker led to an error in the smart contract, a fact that allowed him to obtain part of the funds available in the protocol.
Statera's deflationary algorithm could be the cause of the theft of platform funds
The developers estimate that it was because of the deflationary algorithm it uses stater that the hacker was able to get hold of Balancer funds. This is because every time a transaction occurs within the protocol, the pool receives 1% less of the total value of the transaction. This 1% less is due to the fact that that percentage of the tokens are burned automatically every time an operation occurs. This situation appears to be what the hacker exploited by making the change from wETH to STA 24 times, an action in which the Statera protocol received 1% less than expected in the token, in each interaction.
McDonald then indicates that the hacker exchanged the STA using weiSTA, one billionth of the STA token, for several tokens including LINK, wBTC, SNX, these last two being Bitcoin tokens on the Ethereum network. Then, due to the platform's deflationary algorithm, the weiSTAs did not complete the token exchange, so the hacker was able to perform the operation repeatedly by exchanging the weiSTAs for these tokens available on Balancer, extracting the funds available on the Statera platform.
In total, the report indicates that the hacker was able to obtain the amount of $500.000 during the first attack.
A second attack was reported
Although the second attack carried out was considerably smaller than the previous one, several developers reported that they are committed to auditing the platforms to review and fix existing vulnerabilities in the protocols.
The second attack occurred less than 24 hours after the first was executed, but this was focused on the platform's COMP token Compound. The way this second attack was executed is quite similar to the first, but the hacker was only able to achieve a total of 10 COMP, which is equivalent to about $2.300 at the time of this publication.
Crypto Community Speaks Out After Attacks
Until now, several figures in the crypto community have expressed their opinions regarding these attacks on the DeFi ecosystems, mainly pointing out that Balancer knew about the vulnerability in its protocol but did not report or work in time to correct it, which is why the hacker took advantage. the situation.
Faced with the accusations, Mike McDonald apologized for not having taken action in time to fix the vulnerability, although they allege that they had no idea that this specific type of attack was possible on Balancer.
Continue reading: Ren Protocol, Synthetix and Curve Finance implement yield farming for Bitcoin
