The team behind decentralized finance (DeFi) protocol Balancer published a preliminary post-mortem report on Wednesday, detailing the cause of an exploit that siphoned $116 million across DeFi markets.
Balancer was hit by a sophisticated code exploit on Monday that affected Balancer v2 Stable Pools and Composable Stable v5 pools. All other pool types remained unaffected, according to the report.
The hacker utilized a combination of BatchSwaps, which allow users to bundle multiple actions into a single transaction, including flashloans. Flashloans are short-term loans borrowed and repaid within the same transaction. The exploit also involved manipulating the upscale rounding function that affects EXACT_OUT swaps in the Stable Pools.
The rounding function is designed to round down when token prices are an input. However, the hacker successfully manipulated these rounding values. In conjunction with the BatchSwap feature, this allowed the perpetrator to drain funds from the stable pools. The Balancer team stated:
“In many instances, the exploited funds remained within the Vault as internal balances before being withdrawn in subsequent transactions.”
This hack serves as a critical reminder that hot wallets, liquidity pools, and on-chain funds exposed to the internet are vulnerable to evolving cybersecurity threats from hackers. This necessitates that crypto users and blockchain developers practice caution in protecting their assets.
Industry Collaboration and Response to the Exploit
The hackers were likely highly skilled professionals who prepared for months before executing their attack. They reportedly used a series of 0.1 Ether (ETH) Tornado Cash deposits to fund the attack, aiming to avoid detection.
Balancer collaborated with cybersecurity partners and other crypto protocols to recover or freeze a portion of the stolen funds. This included 5,041 StakeWise Staked ETH (osETH), valued at approximately $19 million, and 13,495 osGNO tokens, valued at up to $2 million.
The Balancer team has paused all affected pools and disabled the creation of new "vulnerable" pools until the security issue is resolved.
Balancer offered a 20% white hat bounty to ethical hackers and the perpetrator for the return of the stolen funds. As of this writing, no one had claimed the bounty.