- A DeFi hack has seen $500,000 worth of cryptocurrencies stolen by a hacker who manipulated the Balancer DeFi system
- The attacker used a 5-step process of interlinked transactions to steal the funds
- Developers are fighting to stay ahead of hackers
$500,000 worth of cryptocurrencies have been stolen from the Balancer platform in a DeFi hack after two pools were drained of their funds. Wrapped Ethereum (WETH), Wrapped Bitcoin (WBTC), Synthetix, and Chainlink tokens amounting to half a million dollars were stolen when the ‘hacker’ gamed the DeFi system and used its protocols against itself, once more outlining the security vulnerabilities within the DeFi space.
Apparently someone drained a Balancer Pool made up of WETH and STA and got away with $500k worth of WETH. pic.twitter.com/SKshyDXagi
— Steven (@Dogetoshi) June 28, 2020
Five Step DeFi Hack Shows Incredible Planning
This DeFi hack was similar in many ways to other such hacks on DeFi platforms, in that the attacker had carefully worked out a combination of successive actions that would result in his desired objective. According to decentralized exchange aggregator 1inch, in order to drain the Balancer pools the attacker:
- Obtained a FlashLoan of 104,000 WETH from dYdX, using Tornado Cash to hide the source of the funds
- Swapped WETH to Statera (STA) tokens back and forth 24 times, draining the STA balance due to the mechanics of the pool, until there was 1 weiSTA remaining (equivalent to 1 satoshi in Bitcoin terms)
- Swapped the 1 weiSTA to WETH multiple times, knowing that the pool would release the WETH without having to first receive the STA
- Repaid the FlashLoan of 104,000 WETH to dYdX
- Rapidly increased his share in the Balancer Pool by depositing a few weiSTAs, then swapped the collected Balancer Pool tokens into 136k STA via Uniswap V2. Then he swapped 136k STA to 109 WETH again.
In the words of 1inch, the attacker was clearly a “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.” The amount of planning required and the knowledge of the systems suggests that someone on the inside of the DeFi space could have been responsible.
Developers Fighting to Stay One Step Ahead
This hack is far from the first in the space and is reminiscent of the hacks on the bZx and imBTC platforms earlier this year. The reliance on smart contracts means that DeFi companies and their customers need to rely on the developers being smarter than the hackers and considering every possible manipulation of the interlinking series of apps and cryptocurrencies.
Given the amount of apps out there and the thousands of ways they can interact with each other this is almost an impossibility, meaning that a hacker who is determined and clever enough will usually find a way to game the system and perform a successful DeFi hack.