Hacker Steals Cryptocurrencies Worth $500k From a DeFi App
The DeFi space of Ethereum has gone parabolic over the past few weeks. Cryptocurrencies locked in DeFi applications are now worth $1.65 billion, representing a 65 percent increase from the value on June 17. At the same time, there is an upsurge in the number of people using applications such as Compound, Maker, and Synthetix.
However, the growth of decentralized finance may be temporarily slowed down by an alleged hack that took place some hours ago. On June 28, reports had it on social media that a DeFi hack or attack took place. In a tweet yesterday, Steven Zheng noted that an individual drained a Balancer pool:
“Apparently someone drained a Balancer Pool made up of WETH and STA and got away with $500k worth of WETH. Everyone cares about decentralization and permissionlessness until they lose money. To be clear, from what I understand, this isn’t a Balancer issue but a Statera issue. Their token is deflationary which causes some weird accounting issue.”
After Zheng tweeted about the hack, the Ethereum-based decentralized exchange 1inch confirmed that the draining of a minimum of two Balancer-Protocol multi-token pools for over $500,000 using a vulnerability in context of AMM and token with deflationary model.
“The hacker sent a complex transaction to Ethereum Mainnet which caused an attack on one of the Balancer Pools. A several minutes later second transaction happened and also drained another Balancer Pool.”
1inch explained that the attacker used a smart contract to automate multiple actions in a single transaction. First, the attacker obtained a FlashLoan of 104k WETH from dYdX used to swap WETH to STA token back and forth 24 times, thereby draining STA balance from the pool and it became 1 weiSTA (0.000000000000000001 STA).
Then the attacker swapped 1 weiSTA to WETH multiple times, repeating the same to drain WBTC, SNX and LINK token balances from the pool. The last step was the repayment of the FlashLoan of 104k WETH to dYdX.
According to 1inch, the attacker is a quite sophisticated smart contract engineer who is very knowledgeable about DeFi protocols, as he utilized Tornado Cash in obtaining initial funds spent on the deployment of smart contracts and carrying out the attack, thereby hiding his source of Ether.