Deflationary tokens STA and STONK made the attack possible. This is the third DeFi platform that has received attacks until now in 2020.
Last June 28th, a hacker managed to steal USD 450,000 from two multi-token pools on the DeFi Balancer platform. The attacker took advantage of an exploit, which the deflationary tokens STA and STONK provided, to empty the content of the pools, in just two transactions. These operations occurred at 06:03 PM UTC, and at 06:49 PM UTC, respectively.
The attacker reportedly saw an attack vector to drain balances on the DeFi platform in conjunction with the Balancer model and the availability of deflationary tokens in its pools. The supply of these tokens decreases over time and is therefore limited.
The decentralized exchange (DEX) aggregator, 1inch, gave an account of the attack. They explained that the hacker “used a smart contract to automate multiple actions in a single transaction” when stealing the funds.
Anatomy of Attack
First, the attacker obtained a FlashLoan from DEX dYdX for 104,000 WETH, which he traded for STA tokens and returned to WETH twenty-four times in increasing amounts. In each exchange, STA has a transfer fee and the pool expects to receive a balance with no fee. This finally drained the STA balance of the pool, in which only 1 weiSTA (0.000000000000000001 STA) remained.
Given that the STA balance was close to zero, its price compared to other tokens increased dramatically. This allowed the attacker to exchange STA for other tokens in the pool at a very low price.
In that sense, the second step was to change the excess weiSTA to WETH multiple times. Due to the implementation of transfer fees for STA, the pool never received the STA token even though it released WETH. The hacker repeated this same procedure to drain the WBTC, SNX, and LINK balances from the pool.
As last the steps, the attacker paid for the FlashLoan that came from dYdX. He deposited some weiSTA in the Balancer pool, traded the tokens for 136,000 STA that he received as an incentive from the Balancer platform through the DEX Uniswap V2, and finally traded those STA for 109 WETH. It is possible to see the funds drained at this address.
Balancer and Attacks on DeFi Platform
The complexity of the procedure leads to the intuition that the attacker is a great connoisseur of yield farming and DeFi platforms. He used the private transaction tool, Tornado Cash, on Ethereum to obtain the initial funds. Therefore, it is unlikely to find the attacker’s identity and the origin of initial ethers.
Mike McDonald, Balancer Labs Co-founder, himself admitted that they were unaware of the possibility of conducting an attack like this. However, they have warned of the collateral risks of ERC20 with transfer fees such as STA and STONK. As Balancer is a permissionless protocol, McDonald states that it is possible to add any malicious or poorly designed token to protocol contracts without them having control over it.
Although so-called yield farming has proven to be quite lucrative for some, the DeFi platforms that make it possible have not stopped showing risks. In addition to the attacks on bZx and Lendf.Me, Balancer would be the third DeFi platform attacked so far in 2020.
Users have also noted the risks, at least of these transfer fee tokens. At the time of writing this article, Statera’s STA token has dropped by 71.8%, trading at USD 0.01293. Meanwhile, STONK fell by 28.2% to USD 0.00994, according to data from CoinGecko.
By Alexander Salazar