Hacker Drains $500K From DeFi Liquidity Provider Balancer

The sophisticated attack exploited a loophole that tricked the protocol into releasing $500,000 worth of tokens.

AccessTimeIconJun 29, 2020 at 11:12 a.m. UTC
Updated Sep 14, 2021 at 8:57 a.m. UTC

"We were not aware this specific type of attack was possible."

Decentralized finance (DeFi) liquidity provider Balancer Pool admitted early Monday morning it had fallen victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $500,000 worth of tokens.

In a blog post, Balancer CTO Mike McDonald said the attacker had borrowed $23 million worth of WETH tokens, an ether-backed token suitable for DeFi trading, in a flash loan from dYdX. They then traded, against themselves, with Statera (STA), an investment token that uses a transfer fee model and burns 1% of its value every time it's traded.

The attacker went between WETH and STA 24 times, draining the STA liquidity pool until the balance was next to nothing. Because Balancer thought it had the same amount of STA, it released WETH that equated to the original balance, giving the attacker a larger margin for every trade completed.

As well as WETH, the attacker performed the same attack using WBTC, LINK and SNX, all against Statera tokens.

The hacker's identity remains a mystery but analysts at 1inch exchange, a decentralized exchange aggregator, said the hacker had covered their tracks well: The ether used to pay transaction fees and deploy smart contracts was laundered through Tornado Cash, an Ethereum-based mixer service.

"The person behind this attack was [a] very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols," 1inch said in its blog post on the breach.

For its part, the team behind Statera batted away accusations that the protocol had either failed or been designed intentionally for this sort of attack to take place.

"We deeply regret, apologize and sincerely extend our condolences to all the victims of this attack," Statera said in an official announcement.

The project added that it was not in a position to be able to refund the attacker's victims.

Balancer Pool will now begin blacklisting all transfer fee tokens, including Statera, McDonald said. As well as another audit, McDonald said the team would do more research into how the hack happened and whether similar vulnerabilities exist with other listed tokens.

The attack could not have come at a worse time for Balancer, which only released its own "BAL" governance token last week.

At press time, CoinGecko data shows BAL tokens trading at the $11 mark, down about 5% in the past 24 hours.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Read more about