Balancer pools drained of more than $450,000 due to an exploit connected to deflationary tokens

Two multi-token pools on Balancer, an automated market maker protocol, were drained of ~$450,000 on June 29 by an attacker that specifically targeted pools containing so-called deflationary tokens.

The hacker conducted the attack in two separate transactions — one took place at 6:03 pm and the second one 30 minutes later 06:49 pm. Only pools with STA and STONK, deflationary tokens with transfer fees, were affected by this exploit. 

The attacker got a $23 million flash loan of ETH from dYdX, converted it to WETH, and started swapping WETH to STA back and forth — they repeated this 24 times. This allowed them to drain the STA balance in the pool all the way to 0.000000000000000001 STA as 1% transaction fee was subtracted on each trade. The STA balance was close to zero, which allowed the attacker to swap it for other assets in the pool very cheaply.

The attacker drained 601.3 ETH (~$134.8k), 11.36 WBTC (~$103.5k), 22,593 LINK (~$102.8k), and 60,915 SNX (~$110.9k). In total, the attacker got access to about $452,000.

DEX Aggregator 1inch said in their writeup that the attacker was “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.” The ETH that was used to deploy the smart contracts was mixed through Tornado Cash to hide the source.

Balancer said that they were not aware this specific type of attack was possible but allegedly warned about the unintended effects of deflationary tokens with transfer fees. It vouched to begin adding deflationary tokens to the UI blacklist similarly to what they have already done for no bool transfer tokens. The protocol added that it has already undergone two full audits and has had a third one planned.

This is the fifth high-profile attack on Open Finance protocols. The first two happened on February 15 as attackers drained the lending protocol bZx of more than $1 million. In April, the dForce protocol was drained of $25 million but the entire amount was returned by the attacker for still unknown reasons.

Related Reading

Get Your Crypto
Daily Brief

Delivered daily, straight to your inbox.