Hacker Exploits Deflationary Token to Steal $500,000 from Balancer Pool

The Balancer pool, one of the newest and most exciting decentralized finance (DeFi) pools, witnessed a security breach over the weekend. According to a company statement, the attacker made use of a deflationary token to access the funds in the pool’s funds.

Exploiting a Deflationary Asset

At about 6:00 PM yesterday, a meta transaction to steal funds from a Balancer pool was executed on the Ethereum blockchain. The transaction reportedly came with a great deal of complexity, with 315 token transfers and a transaction fee of $54.

The pool that eventually gave in to the exploit had a collection of several assets, including LINK, the Synthetic Network Token (SNX), Strata (STA), WETH, and Wrapped Bitcoin (WBTC). Strata is a deflationary token that was built to “attract liquidity.” Whenever a user initiates a Strata transfer, one percent of the entire transaction ends up destroyed.

The hacker eventually borrowed 104,331 WETH (worth about $23.3 million) with a dYdX flash loan. Then, they exchanged the tokens for STA and conducted twenty-four back-and-forth exchanges.

Given the deflationary nature of STA, Balancer only recorded the amount of STA being transferred – not the amount that was destroyed. The frequency of the transfers meant that the STA pool continued to diminish in size. Eventually, the pool’s dynamics went off balance, and the hacker went on to swap 0.000000000000000001 STA for WETH multiple times – thus draining the amount of WETH in the pool.

The hacker went on to do the same for the other tokens in the pool. The hacker repaid the flash loans, but still held a significant amount of Balancer pool tokens. Using Uniswap, they exchanged the pool tokens for more STA and swapped them for 109 WETH (about $24,300).

Balancer claimed in its statement that it didn’t know this sort of attack was possible. However, the company also pointed out that it had gotten warnings concerning the consequences of non-standard ERC-20 token transfers on its pool.

Growing Pains for the DeFi Space?

At the end of their operation, the hacker was able to steal $500,000 in user funds. Currently, the hacker’s wallet address has about $134,000 in Ether tokens. Balancer also committed in its statement that it would provide additional documentation concerning how its pool works. The company’s statement didn’t confirm whether it reimbursed customers who lost their funds due to the hack.

Balancer’s hack is coming as the entire DeFi space appears to be on an expansionary trend. The Compound Governance Token (COMP), the governance token for DeFi protocol Compound, surged in value from $64 on June 18 to $352 after exchange Coinbase Pro listed it on its platform. The asset went as high as $427, although it calmed back to about $255 on June 27.

Members of the crypto community have raised their concerns with the DeFi space, as it appears to be a giant bubble waiting to pop and take investors down with it. While the growth of the space is a good thing for the crypto industry and an encouraging sign for things to come, hacks like these will erode investors’ confidence.

Besides Balancer, several other DeFi projects have had security and reliability issues in recent months. This nascent industry might want to tread with caution.