Was the DeFi Protocol Aware of the Issue?

Endy Callahan

Many participants have already found out about a splat that occurred between the STA team and the Balancer. We also know there was the five-hundred-thousand-USD hack and, according to crypto analysts, the DeFi protocol knew about the issue and was very well aware of all the weaknesses and disadvantages.

The market maker protocol has suffered another attack – hackers managed to steal five hundred thousand USD and they did it all in one single ETH transaction. Specialists mention that a dYdX flash loan facilitated it once again. Exchange teams and other professionals have been analyzing and studying the incident. They saw that the transaction was crafted in a careful manner and took over eight million gas, which makes up around two-thirds of an ETH block.

The hackers stole the mentioned amount in Ether. They chose Wrapped Bitcoin and also opted for Synthetix as well as Chainlink tokens. Now we fully realize that cybercriminals can easily take advantage of programmed burns. Last Sunday the transaction starts with a flash loan. It comes from dYdX and is as big as one hundred and four thousand ETH. If converted into U.S. dollars, the sum is approximately twenty-three million USD.

Statera became the token that the exploit relied on. This is a deflationary token and one percent of each transaction is automatically burned. However, the smart contracts by Balancer must have failed to fully account for that and expected that each transfer would be for the whole amount.

The criminal used this by exchanging several times between Ether and Statera. All in all, the representatives have counted twenty-four transactions. Each time, the STA balanced that was available to the contract kept being diminished by one percent. Nevertheless, the smart contract failed to account for that. As a result, the price remained stable even though there was a vanishing supply.

Security Practices Are Far from Perfect

Balancer disclosed that at the very end of this process the criminal used a feature that updated the price. The figures were based on the effective pool balance. On the other hand, the STA part was empty hence it was immediately evaluated at a significant premium.

As experts announce, the attacker used the so-called ‘weiSTA’, which, in turn, is one billion of a token. He used it to swap for various assets through the platform and the list includes SNX, LINK, BTC as well as ETH. Surprisingly, weiSTA didn’t require any exchange simply because of the burn mechanism. This is what allowed the criminal to carry out multiple transactions. Only then all STA proved to be empty. The hackers also exchanged some amounts to Balancer Pool tokens and later on they cashed them out to ETH through Uniswap.

All the described makes some crypto market analysts believe that the Balancer group never paid enough attention to a bug report – it was once submitted about two months ago and now security researchers accuse the team of this incident. The official representatives of the company confirm that they received the mentioned report. They also mention that the issue described in the report was practically unexploitable. More than they, they believe that flash loans are to be blamed for what has happened.

Specialists claim that any exploit is vulnerable to attackers who possess massive funds. Journalists have got in touch with the brand and requested to comment on the event. Currently, the firm’s representatives fully admit that they should have taken better care of the issue in due time.