New Defi Exploit - Balancer

5 91
Avatar for zenthereum
4 years ago

On an article I've posted two days ago (link) I discussed what I see as dangers in DeFi and why I see this as a high-risk investment.

Basically, I've explained what I see as red flags and the reasons why we should be afraid to get involved in this craziness. @Read.Cash replied to my post and was on spot pointing out that more hacks will certainly happen and these smart contracts will be exploited.

The first DeFi exploit in a while happened today on Balancer. It was a relatively small amount of a mere $500,000 that didn't create a domino effect but it still gives a clear indication of why this market is juvenile and should be considered high risk.

This is the address of the "hacker" which didn't actually hack anything but just exploited a weakness in the smart contract and bellow are some comments made by possible victims of his actions:

Source: Etherscan

What the attacker did was take advantage of a flash loan and drained a "liquidity pool" with a complex transaction that required more than 300 token transfers but only ~$50 in fees.

Balancer drained pool (link)

Most of us have heard of deflationary coins. These coins have a few lines of Solidity language code and their basic function is to deflate by a certain percentage every time they are moved on the blockchain. Coins as Bomb, Burn, etc once they are moved a certain amount of them (i.e. 1%) is burned (sent to 0x000.. Ethereum address) and the total amount of tokens is reduced.

What the attacker did was abuse a loophole in the Balancer's smart contract that wasn't counting the deflationary effect of a token called Statera (STA). The Balancer smart contract was acting as if no coins were burned on each transaction.

Easy to exploit when spotted and there are guys online that have these things as their job. I'm not sure if this can be counted as a hack either as there was no breach in any system. It was more like a bug-abuse. The "attack" was complex and all steps and transactions made are described in this link.

Balancer announced the incident in this medium post and it seems that they decided to remove deflationary tokens to avoid similar exploits on their platform.

Source: Twitter

While $500,000 may not be considered too much to destabilize the DeFi market, it proves that the current state of DeFi is weak and easy to exploit. There are people with enough experience and technical knowledge to perform similar actions in all DeFi platforms. I'm not happy about being proven correct but I think that the amount extracted with this exploit will be nothing compared to what is coming.

Reposted on Uptrennd

Header Image Source

12
$ 0.02
$ 0.01 from @jwolf
$ 0.01 from @thesatoshistore
Sponsors of zenthereum
empty
empty
empty
Avatar for zenthereum
4 years ago

Comments

Great article with detail expkanation..keep uploading more ....lets subscribe each other

$ 0.00
4 years ago

Great article and explanation. These design issues are definite problems. Either "hacker" customers exploit a loophole, or a hacker hacks the smart contract, or an inside job whereby there is some kind of backdoor to the contract from the start. Most people can't read the smart contract.

$ 0.00
4 years ago

It is supposed to be that the code is audited by Ethereum developers, and we have to trust them with their word. We can only hope that these audits are correct and we've seen in the past cases as the Oyster Protocol having code allowing the dev to mint more coins and exit scam. As 99,99% and maybe more of the users have no coding experience, we trust others. So there goes the trustlessness of the system.

$ 0.00
4 years ago

Yep. That said, there are some terrific projects that have proven themselves.

$ 0.00
4 years ago

Great post

$ 0.00
4 years ago