Balancer to compensate victims of $450,000 exploits and reward white hat hacker

Ethereum-based market-making protocol Balancer has announced that it will compensate users who lost their tokens in a protocol attack associated with two deflationary tokens.

The protocol operator will also reward Ankur Agrawal of Hex Capital, “the maximum amount” available in its current bug bounty program, since he flagged the bug to the Balancer team on May 6.

“The bug bounty report by [Agrawal] describes in detail the attack that happened. Our team however did not think it would be a practical attack because of the enormous amounts of funds and also gas we thought would be required for bringing the balance of the deflationary token to near 0 in a single atomic transaction,” said Balancer.

Previously, Balancer had declined to pay out a bug bounty because “they determined that it was not a critical bug,” Agrawal told The Block.

The attack took advantage of the fact that deflationary tokens STONK and STA both charge transfer fees when trading. At the same time, their associated Balancer pools do not immediately account for those fees. It means that the pool balance will show more STONK or STA than the actual number, leaving attackers opportunities to respectively trade STONK and STA, incurring transfer fees and thus draining the two tokens.

When there were very few tokens left in the pools, the attackers called a function to sync the displayed balance of the pools with the actual balance, resulting in a sharp drop in STONK and STA supplies and pushing up their prices against other assets they paired with. Attackers could then swap for these other tokens with a small amount of STONK and STA to cash out.

Balancer is expected to announce details of its reimbursement process by the end of the week.

© 2020 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Source link