Balancer - REKT

Balancer has had a bit of a wobble.

Last Sunday, the AMM (along with ‘official partner’ Beethoven X) lost $2.1M from v2 Boosted pools across Ethereum, Optimism and Fantom.

First came a warning:

Balancer has received a critical vulnerability report affecting a number of V2 Pools.

Emergency mitigation procedures have been executed to secure a majority of TVL, but some funds remain at risk.

Users are advised to withdraw affected LPs immediately.

Then, when the list of vulnerable pools was announced, it seems to have set an army of blackhats to work, looking for a way in.

A later update stated that over 99% of vulnerable TVL had been secured, and that just $565k remained at risk.

Then, $2.1M ended up missing.

Credit: Balancer, Peckshield, Beosin

The hacks came five days after Balancer’s disclosure of a potential threat, advising users to withdraw funds from certain pools.

An official post-mortem is yet to be published, and details of the attack vector remain under wraps, given that further funds may still be at risk.

This article will be edited to add further details when they are released.

EDIT - 14 SEPT 2023: While Balancer still hasn't provided an official post-mortem, BlockSec published a detailed incident report, concluding that "the root cause stems from the price manipulation resulting from the rounding down logic in the linear pool. This consequently affects the cached token rate used by the corresponding boosted pool inappropriately."

BlockSec justified their frontrunning of an official report, stating that three weeks had passed since Balancer's initial announcement, and two weeks since the hacks, adding:

This incident emphasizes the critical need for prompt notifications to projects that have forked from a vulnerable source, which indeed poses a significant challenge for the whole community.

EDIT - also 14 SEPT 2023, four hours later: Balancer finally published their own in-depth post-mortem.

Balancer’s response to the threat followed a clear protocol in order to mitigate potential losses. As well as publishing the list of pools at risk, the team adjusted the UI in order to inform users whether their deposits were affected.

Exploiter addresses:

0xB23711b9D92C0f1c7b211c4E2DC69791c2df38c1 (ETH)

0xed187f37e5ad87d5b3b2624c01de56c5862b7a9b (ETH)

0x429313e53a220c4a5693cad1da26ae5045b5762f (ETH)

0x64E08fa89C2bAE9F123cc8a293775f0E6CC86760 (FTM)

0xBC794F1ff9AD7711A9d2E69Be5b499e290B8fD3c (OP)

While Balancer has been audited by multiple companies, the Boosted pools are not listed under the scope of any of the linked reports.

This isn’t the first time Balancer has been hacked, in 2020 the protocol lost $500k to a flashloan attack. But that was before’ time, making this latest incident Balancer’s leaderboard debut.

Doomscrolling the TL, it feels like we’ve hit peak apathy.

With little to lift the spirits, influencers are content shilling themselves into quick profits via the latest popularity-ponzi.

And some of last cycle's wannabe main characters continue to disgrace themselves.

With the community at a low-point it's especially painful to see even OG protocols like Curve and Balancer eventually finding their way onto the leaderboard

Things look bleak and we may start to ask ourselves:

Will there even be another cycle?

News that would have sent coins to the moon during a bull run is largely forgotten in a matter of days.

But this industry isn't going away anytime soon.

Will you be ready, anon?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.