On the 22nd of August, Balancer Labs – a non-custodial portfolio manager, liquidity provider, and price sensor – received reports of a massive vulnerability affecting several of its lending pools.
At the time, no attacks had been carried out – but that changed recently.
As soon as the exploit was discovered, Balancer devs published a warning to its users, noting that certain pools had already been marked as safe and promising a post-mortem of the situation as soon as a patch was ready.
In order to ensure that their funds were safe, users were directed to a newly made portal that would allow them to check whether their holdings were at risk or not. However, the devs recommended that users temporarily withdraw their funds from all pools as an extra safety measure.
Unfortunately, this warning did not reach everyone’s ears, and the inevitable occurred almost a week later.
Exploit Confirmed By CyberSec Researchers
Last night, Balancer confirmed on X that an exploit had finally occurred and urged its users once again to withdraw their funds in order to prevent further exploits.
“Balancer is aware of an exploit related to the vulnerability below. Mitigation procedures have drastically reduced risks, but are unable to pause affected pools. To prevent further exploits, users must withdraw from affected LPs.”
The exploit was also confirmed by Meir Dolev, the founder and CTO of Web3 security firm CyverAI.
Balancer is aware of an exploit related to the vulnerability below.
Mitigation procedures have drastically reduced risks, but are unable to pause affected pools.
— Balancer (@Balancer) August 27, 2023
The attack was carried out via three separate DAI transactions, all leading back to the same wallet.
The first was by far the largest – worth over $600k. Two smaller transactions followed, costing the lending pools over $250k and $85k, respectively.
Although not as damaging as other exploits that took place earlier this year, the hacker still made off with a substantial amount of illicit funds.
Balancer’s community was, understandably, dismayed at the news, with some users recommending that the devs find a new industry to work in.
In total, the un-patched smart contract vulnerability cost Balancer more than $970k. The promised post-mortem report will also undoubtedly have to be redone to include the fact that this exploit was discovered by a separate bad actor – although the hacker in question was most likely tipped off by the warning posted on Balancer’s forum.