Balancer, an automated market maker protocol, has been drained of $452,000 today (29th-june-2020) from 2 multi-token pools on Balancer. The hacker conducted this attack in 2 transactions which were made within 45 minutes. They exploited the STA and STONK Pools deflationary tokens with fees.
How it was done
First, the hacker got a flash loan of ETH worth $23 million from dYdX, then converted it to WETH and then started swapping the WETH to STA, they swapped back and forth for complete 24 times. Each trade conducted was charged 1%, this allowed them to drain the STA balance to (copy paste the figure). After that, he swapped it for other assets in the pool very cheaply.
The attacker got hold of a total of $452,000; they got access to 601.3 ETH ($134.8k), 11.36 WBTC ($103.5k), 22,593 LINK ($102.8k) and 60,915 SNX ($110.9k).
Balancer in an official statement said developers were not aware of the possibility of hacking through this means,
This is explicitly why STA was not included in the BAL mining whitelist that was recently put together,” the official Medium post. “The system is designed for compliant ERC20’s and when tokens behave unintended ways, bad things can happen. Balancer is a permission-less protocol and broken or malicious tokens will always be able to be added at the contract level.”
DEX aggregator 1inch stated in their write-up that the attacker was “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols”
Defi taking the Heat
Defi has grown recently and has accumulated $1.63 billion locked-in value in different platforms. bZx and dForce, two leading DeFi platforms, witnessed hacks earlier this year, bZx was drained of $1 million while $25 million was stolen from dForce platform and later returned. These hacks amongst others tend to show vulnerability in the Defi Platforms.