Balancer – a leading automated asset management and liquidity platform – suffered a setback yesterday afternoon as ~$500k worth of collateral was drained from two pools that used deflationary tokens.

Deflationary tokens – or those who’s supply is reduced due to a predefined parameter – opened up vectors for pool weighting imbalances when using Flash Loans. In this specific instance, two pools containing STA and STONK tokens were used as an attack vector to siphon out the additional collateral held in each of the respective pools.

Using Statera (STA) as an example, 1% of each transaction is used to burn the token, meaning a large flash loan gave the attacker the ability to rapidly deflate the STA supply relative to what the Balancer pool smart contract was able to remedy. Seeing as the affected pool also contained DeFi tokens like WETH, LINK, SNX and WBTC, the hacker was able to use the modified STA balance and make off with all the underlying collateral to this address.

Here’s a good synthesis of exactly how this happened.

Shortly thereafter, the same principle was applied to a second pool containing a deflationary token called STONK.

All in all, the hacker was able to make off with nearly $500k in collateral including $134k worth of ETH, $100k worth of LINK, $112k worth of SNX and $103k worth of WBTC.

To ensure this doesn’t happen again, Balancer will be adding transfer fee tokens (like STA and STONK) to the UI blacklist similarly to what they have done for no bool transfer tokens.

Balancer Responds

To the surprise of many, the Balancer team decided to reimburse those affected by the hack despite numerous warnings that pools with modified ERC20 tokens should also be approached with caution.

This response came in tandem with some very *bold* claims from those affected – including many who wanted to sue Balancer for what happened.

 

Now, given the permissionless nature of Balancer, this is quite laughable. However, many have equated this to MakerDAO’s Black Thursday victims suing for their lose of funds. To add my two gwei, Keepers colluding to act maliciously regarding retail Vault liquidations with ETH collateral is drastically different from someone entering a pool which contains a token called STONK but hey – who am I to judge.

The community now seems to be divided about whether or not Balancer made a good call reimbursing those who were affected. Many were quick to suggest not reimbursing the incident sets the precedent that users need to be more cautious about the pools they’re entering and that this “hard lesson” will keep players more conservative when entering into token positions which promise insane returns.

On the flip side, others have commended Balancer for stepping up to address an issue they did not *have* to and largely view this as a strong step of further battle hardening one of the fastest-growing DeFi products on the market.

Regardless of where you fall on this end of the spectrum, this issue raises some interesting questions regarding distributed governance and the implications of liquidity mining incentives.

Shipping on Overdrive

While anyone who was farming BAL in the early weeks can attest to how lucrative the rewards were, there’s no denying that these incentives have invited a slew of rouge actors to find different ways to take advantage of retail farmers. Citing the recent FTX gaming as an example, high incentives invite others to game the system, and this model seems to be a continuous theme with the latest incident of actors stepping in the siphon unclaimed COMP from cToken-based Balancer Pools.

On the decision side of things, we have now seen two incidents in which the Balancer Team was forced to take a stance that did not receive onchain resolution from BAL tokenholders. While we are fully aware that formal onchain governance parameters are not yet available, it does go to say that governance systems are becoming increasingly more important and should definitely be prioritized when high stakes and decentralization distribution are at play.

If one thing is for sure, Balancer is reaching a crucial tipping point where their protocol’s reputation is in jeopardy. Luckily, the project is backed by a strong community of talented yield farmers who have a vested interest in seeing it succeed in the long-term.

While the team continues to juggle the changing rollercoaster ride that was introduced with the distribution of BAL, this story is yet another signal that DeFi is as alive as ever and that there’s more than enough exciting news to keep you entertained.

In the meantime, be sure to say up with Balancer on Twitter or by joining the conversation on Discord.

Sign up for This Week in DeFi