Technical Analysis of the DeFi platform Balancer Hacked Incident

Recently, a DeFi platform has attracted widespread attention due to its innovative "lending and mining" model. However, two ERC20 deflationary token pools on the platform were attacked by hackers in the early morning of June 29, resulting in losses of over $500,000.

After analysis by security experts, it was found that the root of the problem lies in the incompatibility between the deflationary tokens on the platform and their smart contracts under certain conditions, allowing attackers to profit from price deviations.

The attack is mainly divided into four steps:

1. The attacker borrows a large amount of WETH from a certain lending platform using a flash loan.

2. By repeatedly calling the swapexactMountin() function, exhaust almost all of the STA tokens on the platform.

3. By exploiting the incompatibility between the STA token and the platform's smart contracts, specifically the mismatch between the bookkeeping and the actual balance, they depleted other assets in the fund pool, ultimately profiting over $520,000.

4. Repay the flash loan and take the profit to exit.

The technical details analysis is as follows:

Step 1: Flash Loan The attacker lends a large amount of WETH to prepare for subsequent operations.

Step 2: Clear the platform's STA assets The attacker cleverly reduced the platform's STA balance to nearly zero by repeatedly invoking the swapExactAmountIn() function, paving the way for the next attack.

Step 3: Attack Profits The attacker utilizes the platform's "Dynamic Balance" principle to exchange a small amount of STA for a large amount of other assets. Since a 1% fee is burned when transferring STA, the platform is unable to actually receive STA, causing a mismatch between internal accounting and actual balance. The attacker continuously calls the gulp() function to reset internal accounting, persistently exchanging a tiny amount of STA for other valuable assets.

Step 4: Repay the flash loan Finally, the attacker repays the borrowed WETH, completing the entire attack process.

This incident once again exposed the compatibility risks of composability in DeFi. To avoid similar attacks, it is recommended:

1. When the amount of a deflationary token is insufficient to pay the transaction fee during transfer, it should directly roll back or return False.

2. The platform should check the actual balance after each transferFrom() call.

3. DeFi project developers should adopt good coding standards, conduct comprehensive security testing, and thoroughly investigate various possible combination behaviors.

The specific losses caused by this attack include various digital assets such as WETH, WBTC, SNX, with a total value exceeding $520,000. This event will undoubtedly have an impact on the DeFi community and serves as a reminder for project developers to place a high priority on the security of smart contracts.