Two multi-token swimming pools on Balancer, an automatic market maker protocol, have been drained of ~$450,000 on June 29 by an attacker that particularly focused swimming pools containing the so-called deflationary tokens.
The hacker carried out the assault in two separate transactions — one befell at 6:03 pm and the second one 30 minutes later 06:49 pm. Solely swimming pools with STA and STONK, deflationary tokens with switch charges, have been affected by this exploit.
The attacker acquired a $23 million flash mortgage of ETH from dYdX, transformed it to WETH, and began swapping WETH to STA forwards and backwards — they repeated this 24 instances. This allowed them to empty the STA stability within the pool all the best way to 0.000000000000000001 STA as 1% transaction price was subtracted on every commerce. The STA stability was near zero, which allowed the attacker to swap it for different property within the pool very cheaply.
The attacker drained 601.three ETH (~$134.8k), 11.36 WBTC (~$103.5k), 22,593 LINK (~$102.8k), and 60,915 SNX (~$110.9k). In complete, the attacker acquired entry to about $452,000.
DEX Aggregator 1inch stated of their writeup that the attacker was “very refined good contract engineer with intensive data and understanding of the main DeFi protocols.” The ETH that was used to deploy the good contracts was combined via Twister Money to cover the supply.
Balancer stated that they weren’t conscious this particular kind of assault was attainable however allegedly warned concerning the unintended results of deflationary tokens with switch charges. It vouched to start including deflationary tokens to the UI blacklist equally to what they’ve already completed for no bool switch tokens. The protocol added that it has already undergone two full audits and has had a 3rd one deliberate.
That is the fifth high-profile assault on Open Finance protocols. The primary two occurred on February 15 as attackers drained the lending protocol bZx of greater than $1 million. In April, the dForce protocol was drained of $25 million however the whole quantity was returned by the attacker for nonetheless unknown causes.
© 2020 The Block Crypto, Inc. All Rights Reserved. This text is offered for informational functions solely. It’s not provided or supposed for use as authorized, tax, funding, monetary, or different recommendation.