On the incident with non-standard ERC20 deflationary tokens today.https://t.co/xgYxBTDVvK
— Balancer Labs (@BalancerLabs) June 29, 2020
Deflationary tokens – or those who’s supply is reduced due to a predefined parameter – opened up vectors for pool weighting imbalances when using Flash Loans. In this specific instance, two pools containing STA and STONK tokens were used as an attack vector to siphon out the additional collateral held in each of the respective pools.
Using Statera (STA) as an example, 1% of each transaction is used to burn the token, meaning a large flash loan gave the attacker the ability to rapidly deflate the STA supply relative to what the Balancer pool smart contract was able to remedy. Seeing as the affected pool also contained DeFi tokens like WETH, LINK, SNX and WBTC, the hacker was able to use the modified STA balance and make off with all the underlying collateral to this address.
Here’s a good synthesis of exactly how this happened.
1. dYdX flash loan for 104k $wETH
2. Swap $wETH for $STA 24 times, draining the $STA balance from the pool
3. Swap 1 weiSTA to $wETH multiple times, bug in $STA transfers pool never receives STA but relases wETH
4. Repay 104k wETH flashloan.
— John Wineman (@johnwineman) June 29, 2020
Shortly thereafter, the same principle was applied to a second pool containing a deflationary token called STONK.
All in all, the hacker was able to make off with nearly $500k in collateral including $134k worth of ETH, $100k worth of LINK, $112k worth of SNX and $103k worth of WBTC.
To ensure this doesn’t happen again, Balancer will be adding transfer fee tokens (like STA and STONK) to the UI blacklist similarly to what they have done for no bool transfer tokens.
To the surprise of many, the Balancer team decided to reimburse those affected by the hack despite numerous warnings that pools with modified ERC20 tokens should also be approached with caution.
After thorough discussions with the community, the Balancer Labs team decided that it will fully reimburse all the liquidity providers who lost funds in the attack of yesterday. We will also pay out the highest bug bounty available for @Hex_Capital
More details on the…
— Balancer Labs (@BalancerLabs) June 29, 2020
This response came in tandem with some very *bold* claims from those affected – including many who wanted to sue Balancer for what happened.
Everyone cares about decentralization and permissionlessness until they lose money. pic.twitter.com/uXMZ2bbnp8
— Steven (@Dogetoshi) June 28, 2020
Now, given the permissionless nature of Balancer, this is quite laughable. However, many have equated this to MakerDAO’s Black Thursday victims suing for their lose of funds. To add my two gwei, Keepers colluding to act maliciously regarding retail Vault liquidations with ETH collateral is drastically different from someone entering a pool which contains a token called STONK but hey – who am I to judge.
The community now seems to be divided about whether or not Balancer made a good call reimbursing those who were affected. Many were quick to suggest not reimbursing the incident sets the precedent that users need to be more cautious about the pools they’re entering and that this “hard lesson” will keep players more conservative when entering into token positions which promise insane returns.
I also don’t think they should have refunded. Sets all kinds of weird incentives. But 100% agree with the bounty payout
— Larry Cermak (@lawmaster) June 29, 2020
On the flip side, others have commended Balancer for stepping up to address an issue they did not *have* to and largely view this as a strong step of further battle hardening one of the fastest-growing DeFi products on the market.
Balancer refunding the LPs that got drained today is probably a good move in the long term.
It shows that while they didn't act hastily enough to protect users from adding liquidity to pools with deflationary tokens, they are taking responsibility. Good move @BalancerLabs
— scoopy trooples (@scupytrooples) June 29, 2020
Regardless of where you fall on this end of the spectrum, this issue raises some interesting questions regarding distributed governance and the implications of liquidity mining incentives.
Shipping on Overdrive
While anyone who was farming BAL in the early weeks can attest to how lucrative the rewards were, there’s no denying that these incentives have invited a slew of rouge actors to find different ways to take advantage of retail farmers. Citing the recent FTX gaming as an example, high incentives invite others to game the system, and this model seems to be a continuous theme with the latest incident of actors stepping in the siphon unclaimed COMP from cToken-based Balancer Pools.
Apparently this happened an hour ago, someone used dydx flashloan(again) and drained unclaimed COMP in several balancer pool, making 10.8 ETH profit in the process. Thread incoming. pic.twitter.com/TeJZZSSycE
— Hao (@frenzy_hao) June 29, 2020
On the decision side of things, we have now seen two incidents in which the Balancer Team was forced to take a stance that did not receive onchain resolution from BAL tokenholders. While we are fully aware that formal onchain governance parameters are not yet available, it does go to say that governance systems are becoming increasingly more important and should definitely be prioritized when high stakes and decentralization distribution are at play.
If only there was a token that allowed your community to express what they want 🤔 pic.twitter.com/NSQBaxeU3Z
— Lasse Clausen (@lalleclausen) June 29, 2020
If one thing is for sure, Balancer is reaching a crucial tipping point where their protocol’s reputation is in jeopardy. Luckily, the project is backed by a strong community of talented yield farmers who have a vested interest in seeing it succeed in the long-term.
While the team continues to juggle the changing rollercoaster ride that was introduced with the distribution of BAL, this story is yet another signal that DeFi is as alive as ever and that there’s more than enough exciting news to keep you entertained.
Cooper is the Editor of DeFi Rate and an active contributor to leading DeFi media outlets like The Defiant, DeFi Pulse, and Bankless. He works with early-stage teams through Fire Eyes DAO to incubate governance models and grassroots community development. He is an ambassador to Set Protocol and an author of a weekly publication called Token Tuesdays. To stay up with Cooper, follow him on Twitter.