Warned in May of Attack, DeFi Balancer Multi-Token Pools Drained for $500,000+ a Month Later


TL;DR: Decentralized finance (DeFi) project Balancer Labs, a non-custodial portfolio manager, liquidity provider, and price sensor, revealed what they’re characterizing as an “incident” where hackers were able “to drain funds from 2 pools that contained tokens with transfer fees (sometimes referred to as deflationary tokens)” of $500,000. It’s the latest gaming of the DeFi phenomenon, often criticized for being too complex for its own good.  

DeFi Balancer Multi-Token Pools Drained for $500,000+

At the time of publication, Balancer announced “it will fully reimburse all the liquidity providers who lost funds in the attack of yesterday. We will also pay out the highest bug bounty available for @Hex_Capital.” Indeed, Ankur Agrawal, the founder and CEO of Hex Capital, claimed to have “submitted this exact attack vector to Balancer Labs’ Bug Bounty program 53 days earlier on May 6. At the time, only $250 of user funds were at risk.”


In Balancer Labs Incident — When Bug Bounties Fail, Agrawal reprints his warning to Balancer so many weeks ago. Then he called it “a critical bug” in the project’s “pool smart contract that would allow a malicious user to steal all assets from a pool in certain situations. If [a] pool contains an ERC-20 that includes a transfer-fee (e.g. DGX),” Agrawal explained, “the pool adds tokenAmountIn to storage variable _records[address(tokenIn)], but the pool will actually receive tokenAmountIn — erc20TransferFee. This allows for the pool to actually contain fewer assets than it stores in _records[address(tokenIn)],” enabling a malicious user to steal funds through a few simple commands.

“Smart contract hacks in Ethereum’s emerging DeFi space have been somewhat regular occurrences. However, this one could have been avoided,” the Hex Capital CEO reminded. Insisting he wants “DeFi to succeed,” Agrawal urged “MORE focus on security. We need ROBUST bug bounty programs. And we need to aggressively acknowledge bugs and work to fix them BEFORE they are exploited.”

Person Behind Attack Was Very Sophisticated Smart Contract Engineer

Balancer seems to disagree with some of Agrawal’s particulars, however, claiming they “were not aware this specific type of attack was possible, we have consistently in our docs, discord, and other channels warned about the unintended effects ERC20s with transfer fees could have in the protocol,” Editor of Balancer Protocol Mike McDonald posted in Incident With Non-Standard ERC20 Deflationary Tokens.


Decentralized exchange (DEX) aggregator 1inch described Balancer Pools as “multi-dimensional Uniswap-like automatic market makers (AMM). They contain multiple assets and keep them balanced in certain proportions by creating arbitrage opportunity for swapping any assets by forming prices by special formula.” 1inch appeared to confirm Agrawal’s May warning while concluding, “The person behind this attack was very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols. The attack was organized and well prepared in advance. Additionally he used Tornado Cash to get initial funds, which were spent for deploying smart contracts and performing the attack, hence hiding his source of Ether.”

DeFi-related hacks are now commonplace, totaling millions in losses just this year alone. It’s often hard to tell if such projects are being exploited, gamed, or hacked — or some combination of all three. The complexity is both a feature of decentralization but quickly becoming a bug through fetishization over intelligibility. Nevertheless, DeFi is proving more popular than ever, as phenomenons like Compound show.

Bitcoin Cash

CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.

DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.

DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.