Yesterday, June 29th, two of the multi-token pools on DeFi platform Balancer were drained of ~$450,000. The attacker conducted the attack in two separate flashloan transactions by draining one liquidity pool until close to zero. The firm’s co-founder and CTO, Mike McDonald, confirmed that hackers drained at least two of their pools that contained deflationary tokens STA and STONK. He admitted that hackers exploited security vulnerabilities in those tokens to trick their pools into selling them Ether, WBTC, LINK, and SNX with a total loss of 601.3 ETH, 11.36 WBTC, 22,593 LINK, and 60,915 SNX totalling around $450,000.
As we know, there is a huge competition know in the DEFI space, expecially between the tokens involved in yield farming. But there is no easy profit and there are risks involved. My man here pointed out this from the beginning:
In a later report from Balancer, they announced they will compensate any user loosing his/her tokens. Details about all this will be published later this week.
But, in a surprising way, this happened again on 30.06.2020, even if on a smaller scale. Apparently at 1.39 PM, someone used dydx flashloan(again) and drained unclaimed COMP in several balancer pool, making 10.8 ETH profit in the process. You were thinking that once they found out that this exploit can be used for any coin, on any pool, they will pause the protocol in order to prevent another incidents. They didn’t. In my opinion the solution is simple, even if time consuming. They should introduce a temporary 24 hours delay on withdrawals and manually approve them. At least until they find a solution. Another great example of company caring more of the brand image than the solution. Now they really need to step up, in my opinion.
Any future DEFI project should study this issue and learn how to avoid future problems. Now that the cat is out of the hat, more pools will be under black hackers scrutiny. Some state sponsored hacker groups will probably enjoy the free money. And they have the power and the numbers to pose a real danger to the future of DEFI.
Read the CoinTelegraph article for the technical analysis of the hack.
Be careful, very careful, in the end there are your money we talk about!
My crypto-related links (check ratings – 1 to 5 stars based on my personal experience)
Games to gain crypto
***** League of Kingdoms – link here: similar with Heroes of Might and Magic (worldwide – paying in DAI)
**** DogeWars – link here (paying in Doge, 10-100 Doge initial investment, fight bosses and 1vs1 arena)
***** Binance( good for staking/savings ) – link here
***** Kucoin( good for staking/savings ) – link here
***** Coinbase( ideal for beginners )- link here
**** BlockFi (decent interest rates, but less choices than Celsius) – link here
***** Celsius.network (good rates of interests and monthly codes for free crypto, 1235256530 => my referral for $10 bonus ) – link here
**** Coinbundle (investing in crypto bundles) – link here
**** Stakecube (staking, masternodes and very easy to claim faucets for 28 coins/tokens) – link here
Wallets for multiple cryptocurrencies
***** Coinpot – link here (microwallet for all Moon faucets, Bitfun and Bonusbitcoin)
***** Atomic wallet – link here (microwallet for Publish0x DAI, BAT and Loopring)
***** Spherewallet (for Horizen, combined with the faucet for extra bonus) – link here
**** Crypto.com wallet (good interest staking and 50$ bonus in MCO) – link here
Free crypto (faucets and more)
****Lbry.tv (free crypto for watching or making videos) – link here
**** Bitfun( 3 min countdown – automatically deposit to Coinpot wallet ) – link here
*** Bonusbitcoin( 15 min countdown – automatically deposit to Coinpot wallet ) – link here
**** Moon Bitcoin ( 5 min countdown – automatically deposit to Coinpot wallet ) – link here
***** Horizen faucet ( 20 hours countdown – automatically deposit to Sphere wallet ) – link here
*** Tezosfaucet ( 7 days countdown – automatically deposit to Coinbase or Binance wallet ) – link here
** Tron and other crypto faucet (24 hours countdown) – link here
***** Publish0x blog (Free BAT, DAI and Loopring for reading/writing – can combine with Atomic wallet) – link here
***** Brave browser (Free BAT for using it, based on paid ads, very good AdBlocker and high speed) – link here
Disclaimer: This text also can be re-published on my personal blogs, such as this one.