DeFi platform Balancer will reimburse users who lost their token during two recent deflationary tokens attacks. The protocol operator will also reward a white hat hacker who raised the flag on the bug in May.
The Ethereum-based Balancer Labs announced on June 30, 2020, the details of the process the firm went through before deciding to make a reimbursement. During the incident, Balancer said that only 0.36% of the total liquidity on the firm’s pools was affected. However, the firm said it was taking the matter seriously. The firm’s statement read in part:
“The bug bounty report by [Agrawal] describes in detail the attack that happened. Our team, however, did not think it would be a practical attack because of the enormous amounts of funds and also gas we thought would be required for bringing the balance of the deflationary token to near 0 in a single atomic transaction.”
Previously Declined To Give a Bug Bounty
The firm reported it would reward Ankur Agrawal of Hex Capital, “the maximum amount” in its current bug bounty program. It is he who flagged the bug to the Balancer team on May 6. According to Aggarwal, the firm had previously declined to give a bug bounty. Balancer had believed the bug was not as critical as he had reported. Agarwal had tweeted:
“I just published an article on the @BalancerLabs incident yesterday where $500k of user funds were lost due to a bug with pools containing deflationary erc20 tokens including @StateraProject.”
Enabled the Attackers to Swap Tokens
The attackers timed the incident to coincide with the point when deflationary tokens STONK and STA both charge transfer fees when trading. They seem to have noticed that the pool balance will not show excess STONK or STA; this gave the attackers the chance to trade STOKN and STA respectively and incur transfer fees, thereby draining both tokens.
Once the volume of tokens went down, the attackers called a function to sync the displayed balance of the pools with the correct balance. This resulted in the sharp drop in the STONK and STA supplies. The same pushed up the prices against the assets they were paired with. That enabled the attackers to swap those other tokens using a small amount of STONK and STA to cash out.
Not Setting a Precedent
Balancer will soon announce details on the process of reimbursement before the end of this week. Balancer said it was not setting a precedent for any future refunds in case of losses occurring. Users are reminded that there are risks associated with using smart contracts on Ethereum and DeFi. The firm stated:
“Balancer Labs will only reimburse the losses of liquidity providers in this attack. We believe we could and should have done better in avoiding this, given the context of the bug bounty report we received prior to the attack.”
