Balancer Suffers a Security Breach and Loses $100 Million in TVL 🚨

5uhB...Zmmt
25 Aug 2023
340


Balancer is a decentralized finance (DeFi) protocol that allows users to create and manage liquidity pools of different tokens. It also enables users to swap tokens, earn fees, and participate in governance.However, Balancer has also been the target of several security breaches that have resulted in significant losses for its users and investors. The latest incident occurred on August 22, 2023, when Balancer discovered a critical vulnerability in its high-interest-paying boosted pools that could place tens of millions of dollars in crypto at risk

However, Balancer has also been the target of several security breaches that have resulted in significant losses for its users and investors. In this article, we will review some of the major security incidents that have affected Balancer and how they could have been prevented or mitigated.


The First Attack: A Flash Loan Exploit 💸

The first major attack on Balancer occurred on June 28, 2020, when an unknown hacker exploited a vulnerability in the protocol’s smart contracts and drained over $500,000 worth of tokens from two Balancer pools. The hacker used a flash loan technique, which allows borrowing a large amount of funds without collateral for a very short period of time, usually one transaction. The hacker borrowed 104,000 WETH (wrapped ether) from dYdX, a DeFi lending platform, and used it to manipulate the prices of STA and STONK tokens in two Balancer pools. The hacker then swapped the inflated tokens for WETH and paid back the flash loan, leaving the pools with a huge deficit.

The attack was possible because Balancer did not account for the deflationary nature of STA and STONK tokens, which burn a percentage of their supply with every transaction. This created an imbalance in the pool’s token ratios, which the hacker exploited to drain the funds. Balancer admitted that it was not aware of this vulnerability and that it did not audit the tokens that were added to its pools.

The Second Attack: A Reentrancy Bug 🐛

The second major attack on Balancer occurred on July 28, 2020, when another unknown hacker exploited a reentrancy bug in the protocol’s smart contracts and stole over $2.5 million worth of tokens from a Balancer pool. The hacker used a similar flash loan technique as the previous attack, but this time borrowed 11 million WETH from dYdX and used it to swap WETH for STA tokens in a Balancer pool. The hacker then called the transfer function of the STA token contract multiple times, triggering a reentrancy bug that allowed the hacker to withdraw more WETH than they deposited. The hacker then swapped the stolen WETH for other tokens and paid back the flash loan, leaving the pool with almost no funds.

The attack was possible because Balancer did not implement proper checks and balances in its smart contracts to prevent reentrancy attacks, which occur when an external contract calls back into the calling contract before the initial function is completed. This allows the attacker to manipulate the state of the contract and withdraw more funds than they should. Balancer claimed that it had audited its contracts and that the reentrancy bug was not detected by any of the auditors.

The Third Attack: A Bridge Exploit 🌉

The third major attack on Balancer occurred on June 24, 2021, when Harmony Network’s Horizon Bridge was exploited by an attacker who stole over $100 million worth of tokens from various DeFi protocols, including Balancer. The attacker used a complex scheme that involved creating fake tokens on Harmony Network, bridging them to Ethereum Network using Horizon Bridge, swapping them for real tokens on Uniswap and SushiSwap, depositing them into Balancer pools, withdrawing them as fake tokens using Horizon Bridge again, and repeating the process until draining all the funds.

The attack was possible because Horizon Bridge did not verify the validity of the tokens that were transferred between Harmony Network and Ethereum Network. This allowed the attacker to create counterfeit tokens that mimicked the real ones and tricked the DeFi protocols into accepting them as collateral or liquidity. Harmony Network admitted that it was responsible for the bridge exploit and that it had contacted the FBI to investigate the incident.

Balancer Depositors Pull Nearly $100M in Crypto After Vulnerability Warning

 The latest incident occurred on August 22, 2023, when Balancer discovered a critical vulnerability in its high-interest-paying boosted pools that could place tens of millions of dollars in crypto at risk.
Balancer’s crisis response group activated and paused many pools to prevent their draining, but some pools could not be paused and were therefore at high risk. Balancer urged its customers to withdraw their tokens as soon as possible to secure their funds. Users responded quickly and withdrew nearly $100 million in crypto from Balancer within hours123Balancer’s total value locked (TVL) dropped from over $850 million to around $750 million after the announcement.

The bug itself has not yet been made public, but Balancer expects to release a post mortem once things subside. They have already secured at least 80% of assets through the emergency actions. Investors in BAL, Balancer’s governance token, were spooked by the news and the token price dropped from $3.55 to $3.44 after the disclosure.

This is not the first time that Balancer has suffered a security breach. In June and July 2020, Balancer was attacked by hackers who exploited vulnerabilities in its smart contracts and drained over $3 million worth of tokens from its pools. Balancer claimed that it had audited its contracts and that the bugs were not detected by any of the auditors.

The security breaches that have affected Balancer and other DeFi protocols highlight the importance of proper security measures and practices in the DeFi space. Some of the possible ways to prevent or mitigate security breaches are conducting thorough audits of smart contracts and token contracts, implementing security mechanisms such as circuit breakers, timelocks, whitelists, blacklists, and emergency shutdowns, educating users and investors about the risks and rewards of DeFi, collaborating with other DeFi protocols, platforms, and communities to share information, best practices, and solutions for common security challenges and threats, and developing and adopting security standards and frameworks to evaluate and improve the security posture and performance of DeFi protocols and pools.

How to Prevent or Mitigate Security Breaches 🔒

The security breaches that have affected Balancer and other DeFi protocols highlight the importance of proper security measures and practices in the DeFi space. Some of the possible ways to prevent or mitigate security breaches are:

  • Conducting thorough audits of smart contracts and token contracts by reputable auditors before deploying them on mainnet or adding them to pools.
  • Implementing security mechanisms such as circuit breakers, timelocks, whitelists, blacklists, and emergency shutdowns to limit the damage or stop the attacks in case of a breach.
  • Educating users and investors about the risks and rewards of DeFi and encouraging them to do their own research and due diligence before participating in any DeFi protocol or pool.
  • Collaborating with other DeFi protocols, platforms, and communities to share information, best practices, and solutions for common security challenges and threats.
  • Developing and adopting security standards and frameworks such as the NIST Cybersecurity Framework or the DeFi Score to evaluate and improve the security posture and performance of DeFi protocols and pools.


Conclusion 🙌

Balancer is a DeFi protocol that offers a novel way to create and manage liquidity pools of different tokens. However, Balancer has also been the victim of several security breaches that have resulted in significant losses for its users and investors. These security breaches expose the vulnerabilities and challenges that exist in the DeFi space and call for more attention and action from the DeFi community and stakeholders. By learning from these incidents and implementing proper security measures and practices, Balancer and other DeFi protocols can enhance their security and resilience and provide a better and safer experience for their users and investors.

What do you think about Balancer’s security breaches? Do you trust Balancer or other DeFi protocols with your funds? Let me know in the comments below!


Sources:

(1) Harmony Ropes in FBI After Losing $100M in Exploit; ONE ... - CoinDesk | CoinDesk.
(2) Balancer Recovers 97% of Funds After Vulnerability Report | Crypto Economy.
(3) Optimism network's DeFi lender, Exactly, loses $26 million in TVL ... | FXStreet.
(4) THE IMPACT OF INFORMATION SECURITY BREACHES ON FINANCIAL PERFORMANCE OF ... | Journal of Information Technology Management.
(5) A Case Study of the Capital One Data Breach | MIT Sloan School of Management.
(6) The Relationship between Board-Level Technology Committees and ... - SSRN | SSRN.
(7) Balancer Depositors Pull Nearly $100M in Crypto After Vulnerability Warning | MSN.
(8) Balancer Depositors Pull Nearly $100M in Crypto After Vulnerability Warning | Coindesk.
(9) Balancer Depositors Pull Nearly $100M in Crypto After Vulnerability Warning | Yahoo Finance.
(10) Users pull $150 million in funds from Balancer protocol within hours | Web3 is Going Great.
(11) Balancer Depositors Pull Nearly $100M in Crypto After Vulnerability Warning | CryptoNews.



Read My Latest Posts :



If you enjoyed this topic, Show your support by reacting and leaving a comment below. Let us know your thoughts, or any additional ideas related to this discussion.


Write & Read to Earn with BULB

Learn More
Enjoy this blog? Subscribe to Time

9 Comments

B
No comments yet.
Most relevant comments are displayed, so some may have been filtered out.