DeFi’s Balancer Pool Hacker Drains Funds Worth About $500k

By Sahana Kiran
Published June 29, 2020 Updated July 31, 2020
Best Buy In




DeFi’s Balancer Pool Hacker Drains Funds Worth About $500k

By Sahana Kiran
Published June 29, 2020 Updated July 31, 2020

DeFi platform Balancer’s multi-token pools were under attack after a hacker drained about $500k worth of funds. 

Sophisticated Smart Contract Engineer Behind The Hack?

Decentralized Finance [DeFi] has been in the news lately following the launch of two prominent governance tokens from lending protocol Compound Finance as well as decentralized exchange Balancer. Compound’s COMP token was the first to hit the market and still has the entire DeFi space under its dominance.

While Balancer was also seen doing well, the platform revealed a recent glitch that it experienced. Balancer Labs revealed that an attacker had drained funds worth of about $500,000 from two pools that sustained deflationary tokens. The tokens in these pools were STA and STONK tokens.

Pools with the aforementioned tokens with transfer fees were reportedly the only ones to be affected by the hack. The platform’s co-founder, Mike McDonald elaborated on the same in a recent blog post.

A hacker reportedly carried this out via two different transactions. The hacker acquired a loan of 23 million USD worth of Ether from decentralized borrowing and lending platform dYdX. WETH, as well as STA, was further traded continuously for about 24 times in extensive volumes, causing the STA balance in the pool to plummet to a low of 0.000000000000000001 STA. Each time WETH was converted into STA the Balancer Pool gained 1 percent less STA than the conventional amount.

1inch, a DEX aggregator elaborated on the same in his Medium post and stated,

“As the next step, the attacker swapped 1 weiSTA to WETH multiple times. Due to STA token transfer fee implementation, the pool never received STA but released WETH regardless. The same step was repeated to drain WBTC, SNX and LINK token balances from the pool.”

Even though Balancer wasn’t aware of the possibility of such an attack, the platform claims to have warned the users about the “unintended effects ERC20s with transfer fees could have in the protocol.”

1inch believes that the attack was carried out by a “sophisticated smart contract engineer” who had immense knowledge about the DeFi space and its protocols. The stolen funds were further transferred to the address, 0xBF675C80540111A310B06e1482f9127eF4E7469A.


Furthermore, Balancer suggested that the platform would be adding transfer fee tokens to the UI blacklist, more documentation pertaining to the working of the pools, and even concocted a 3rd audit that would take place before today.


The presented content may include the personal opinion of the author and is subject to market condition. Do your market research before investing in cryptocurrencies. The author or the publication does not hold any responsibility for your personal financial loss.
About Author
Sahana Kiran
133 Articles
Sahana Kiran is a graduate in Political Science, Economics and Journalism. She is a full-time crypto writer at CoinGape and takes a keen interest in cryptocurrencies, especially Ethereum and Bitcoin. Even though she's not a HODLER yet, she has eyes on Bitcoin.