In a blog post published on June 29, Balancer Labs has revealed that a hacker has exploited a loophole in the code of the Balancer (BAL) protocol, siphoning $500,000 from 2 pools with deflationary tokens. Only these two pools, which contain the STA and STONK tokens, have been affected.
The team has announced that it would reimburse liquidity providers who had been affected by the incident. They will also add transfer fee tokens to a blacklist, update documentation and undergo more security audits.
Regarding the nature of the attacker, team officials said that the permissionless nature of the protocol meant that malicious tokens could always be added at the contract level .The STA token was not added to the BAL whitelist, which resulted in the token acting in unintended ways.
A bug bounty that was tackled by Ankur Agrawal from Hex Capital had been overlooked by the team, for which they issued an apology. The maximum bug bounty has been awarded to him. A follow-up post reads,
Balancer Labs will only reimburse the losses of liquidity providers in this attack because we believe we could and should have done better in avoiding this, given the context of the bug bounty report we received prior to the attack.
Having launched in March 2020, Balancer began distributing 435,000 BAL governance tokens on June 23. The token is used in farm yield programs, like Synthetix’s BTC farm yielding, and the platform will undergo an upgrade in the second half of 2020.