Well, it’s happened again. Just a month after the Curve Finance exploit, another major DeFi player has been attacked. On Aug. 27, 2023, Balancer was exploited for roughly $2 million, due to a vulnerability in some of their staking pools.
While it’s still being worked out exactly how this hack was accomplished and the steps required to stop it, the Balancer exploit already provides ample opportunity to learn how to protect your crypto. With over $760 million stolen in 18 DeFi exploits so far in 2023, there’s never been a better time to up your knowledge of crypto security.
We’ve got tips for users on how to keep your crypto safe, while major players such as Balancer continue to work to tighten up security on their platforms. Let’s begin with a few basics–then, we’ll cut straight to improving security.
What is Balancer protocol?
Implemented on multiple blockchains, Balancer is an automated market maker (AMM). Its AMM protocol functions as a decentralized exchange (DEX), helping provide liquidity to traders for their ERC-20 tokens. This makes it possible for traders to take out loans from Balancer and for users who’ve staked their coins on Balancer to profit by earning fees and interest.
What is the timeline of the Balancer exploit?
On Aug. 22, Balancer warned its community that a vulnerability had been detected in some of its Version 2.0 liquidity pools:
Initial estimates of the amount of crypto at risk due to the vulnerability was $27 million. Balancer’s GitHub page identified several liquidity pools across eight different blockchains that were at risk, Decrypt reported.
In response to Balancer’s announcement, many users withdrew their coins, causing the TVL on Balancer to shrink dramatically. But not everyone got the message, it seems.
About five days later, on Aug. 27, attacks began that exploited the security bug Balancer had warned the community about. Initial reports put the losses at just under $1 million, but losses grew in the following days.
That same day, Cyvers founder and CTO Meir Dolev identified the attacker’s wallet address:
In all, over $2 million has been lost so far in a series of attacks that exploited the security bug.
Precise details of how this hack was executed have yet to come out. On Sept. 4, Balancer promised it would release a post-mortem once it successfully resolves the problem. (And yes, that means additional losses may still occur.) A governance vote was upcoming to decide whether to refund users affected in the exploit.
Tips to Avoid Losing Crypto on a DEX
How can you avoid losing your crypto in a DEX hack? Here are takeaways from the Balancer exploit.
Look for transparency and customer service
One yardstick for whether a platform should be trusted is how rapidly and fully they’ve disclosed problems. Balancer received kudos from the community for quick disclosure and assistance to affected users during this exploit. It made suggestions that prioritized security rather than its own asset preservation by urging users to withdraw their funds from affected pools.
The result: Balancer’s TVL sank from roughly $900 million before the exploit to closer to $670 million, a level it’s maintained since. Balancer continues to urge any users who are just getting the news to withdraw crypto they may have in affected pools.
Balancer launched an emergency UI that allowed users to immediately see if their crypto was invested in any of the affected pools, and to withdraw it if so. An emergency subDAO managed paused affected pools that could be put on hold, and enabled “proportional exits” for users from pools that couldn’t be paused.
Watch for notices
In this case, Balancer warned users with stakes in the affected liquidity pools to withdraw their funds. Apparently, not everyone was paying attention. The attack didn’t hit until five days later–plenty of time for any savvy Balancer users to have secured their funds.
Beyond watching for notices that come directly from platforms you trade on, it’s also prudent to follow some of the major crypto security firms in social media. They often are the first outsiders to spot a hack in process and pop up on X with details.
When a hack is in progress, the platform being exploited may still be scurrying around trying to stop the bleeding before prepping its official statement. Precious hours tick away in the meanwhile. Outside firms have no skin in the game and make their reputations by being first to spot problems.
Stake at your own risk
Many crypto users are lured by the promise of returns they can earn on their crypto by staking it to lending pools on DeFi platforms. But those large pools of loan funds attract hackers. Each user should assess their risk tolerance for being part of such fund aggregators.
Cross-chain is more vulnerable
We’ve seen it again and again this year–platforms and apps that bridge between different blockchains present more risks. Recently, Exactly saw $12 million drained through Optimism bridge in August.
Be part of the community
In its initial analysis of the exploit, Balancer noted that community collaboration helped limit the damage. The lesson here is simple: If you’re using a platform, join the community and be active with it. Check in on Discord or X to see what’s being posted–it could save you a lot of heartache.
Bug bounties don’t always work
We’ve seen some major hacks in recent years where in the end, the attacker gives back all or most of the funds. This may be luring users into a false sense that all comes right in the end in DeFi, even if a hack occurs.
But the recent trend is that attackers are getting more sophisticated and don’t always bite on offers to avoid prosecution by paying back all but 10%. Balancer has a generous bug bounty program that offers 1,000 ETH for “properly disclosed critical vulnerabilities” in its smart contracts. Still, no one has come forward with information on either the identity of the attacker or with an offer to return coins.
Takeaway: Don’t be complacent about security because you think it’ll all come out in the wash. It may not. If your tokens are stolen, they may well stay gone.
Watch for side grifts
Once a hack is announced, other attackers may jump in with their own schemes to try to take advantage of the situation. Among the monkey-wrenching that unfolded around the exploit that Balancer subsequently shut down were:
- A copycat user interface that promised a fake airdrop
- Bad actors who posted impersonating contributors
- Creation of a fake Balancer forum
All of these setups were designed to further rip off Balancer users during the hack. Proceed with caution during a hack–make sure you’re on legitimate sites and talking to actual DAO members. Balancer user Mich (@dubstard) offered a few basic anti-theft tips that bear repeating:
- Don’t open links sent to you in DMs from anyone claiming to be a moderator, admin, or staff member. Actual project organizers wouldn’t send you links in DMs.
- Don’t DM with anyone who messages you offering help: “those are scammers.”
- Keep the authentic URL of the project in mind and make sure you’re on that site.
- If you hear about an airdrop, check with the project and community to make sure it’s legit, and not a gambit to obtain your logins.
Balancer later offered some of its own security tips:
- If something is happening that’s unusual (i.e. a sudden airdrop offer), it’s likely it’s a scam.
- Never share your private keys or seed phrases with anyone.
- Don’t click on links posted by even verified X users–remember, anyone can get hacked on there, including Ethereum co-founder Vitalik Buterin.
- Legit project support is offered through public channels, not DMs.
- Check credentials by looking for verified Discord roles a platform has granted to users’ profiles. No roles? Scammer.
- Bookmark official pages and only visit them directly, not by clicking links you’re sent.
- If you see repeating, identical messages from a series of different users, beware: it’s likely a scam, as with this set of Discord messages Balancer called out on its blog:
If it sounds too good to be true…
Always bring your gut-check to all crypto trading activities. Remember that there’s no golden goose out there that only you are hearing about.