"We were not aware this specific type of attack was possible."
Decentralized finance (DeFi) liquidity provider Balancer Pool admitted early Monday morning it had fallen victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $500,000 worth of tokens.
In a blog post, Balancer CTO Mike McDonald said the attacker had borrowed $23 million worth of WETH tokens, an ether-backed token suitable for DeFi trading, in a flash loan from dYdX. They then traded, against themselves, with Statera (STA), an investment token that uses a transfer fee model and burns 1% of its value every time it's traded.
The attacker went between WETH and STA 24 times, draining the STA liquidity pool until the balance was next to nothing. Because Balancer thought it had the same amount of STA, it released WETH that equated to the original balance, giving the attacker a larger margin for every trade completed.
As well as WETH, the attacker performed the same attack using WBTC, LINK and SNX, all against Statera tokens.
The hacker's identity remains a mystery but analysts at 1inch exchange, a decentralized exchange aggregator, said the hacker had covered their tracks well: The ether used to pay transaction fees and deploy smart contracts was laundered through Tornado Cash, an Ethereum-based mixer service.
"The person behind this attack was [a] very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols," 1inch said in its blog post on the breach.
For its part, the team behind Statera batted away accusations that the protocol had either failed or been designed intentionally for this sort of attack to take place.
"We deeply regret, apologize and sincerely extend our condolences to all the victims of this attack," Statera said in an official announcement.
The project added that it was not in a position to be able to refund the attacker's victims.
Balancer Pool will now begin blacklisting all transfer fee tokens, including Statera, McDonald said. As well as another audit, McDonald said the team would do more research into how the hack happened and whether similar vulnerabilities exist with other listed tokens.
The attack could not have come at a worse time for Balancer, which only released its own "BAL" governance token last week.
At press time, CoinGecko data shows BAL tokens trading at the $11 mark, down about 5% in the past 24 hours.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.