The Balancer DeFit protocol hacked twice within 24 hours, as first, it suffered a $500,000 attack, where the second attack claimed about $2,300 worth of Compound tokens (COMP).
It has been reported that Hao, an engineer at DeBank, tweeted that an attacker was able to fool the Balancer system into thinking he was owed a significant portion of the COMP tokens stored in the decentralized exchange’s pool.
Apparently this happened an hour ago, someone used dydx flashloan(again) and drained unclaimed COMP in several balancer pool, making 10.8 ETH profit in the process. Thread incoming. pic.twitter.com/TeJZZSSycE — Hao (@frenzy_hao) June 29, 2020
However, the attack involved flash loans from both dYdX and Uniswap, as the hacker loaned more than $33 million that was used to generate cTokens representing ownership in a Compound pool.
The attacker transferred the cTokens to a Balancer pool. This triggered Compound into distributing the COMP accrued by the pool during its normal operation. The hacker then forced Balancer to update the pool’s balance, which at this point included all of the flash loaned money.
Likewise, the system believed that the hacker was entitled to a significant share of the pool’s COMP, despite not having held any money previously.
Balancer hacked again as a thief steals COMP tokens meant for its liquidity providers https://t.co/oR4BPf6hTu — Cointelegraph (@Cointelegraph) June 29, 2020
It has been analyzed that a call to withdraw the COMP and exchange it to ETH completed the hack, which netted a relatively small sum of about 10 COMP, worth $2,300.
Hao noted that the attack is similar to the $500,000 loss from earlier in the day. Like the first, this second attack relies on the peculiar way that Balancer manages its internal state.
Thus, the team has since pledged to make affected users whole, as they will also compensate a researcher who reported on the vulnerability in May.
After thorough discussions with the community, the Balancer Labs team decided that it will fully reimburse all the liquidity providers who lost funds in the attack of yesterday. We will also pay out the highest bug bounty available for @Hex_Capital More details on the… — Balancer Labs (@BalancerLabs) June 29, 2020