Earlier today, the Balancer DeFit protocol suffered a $500,000 attack. But within just 24 hours later, an another attack claimed about $2,300 USD worth of Compound tokens [COMP] again.
Hao, an engineer at DeBank, revealed that an attacker was again to fool the Balancer system into thinking he owed some portion of the COMP tokens stored within the decentralized exchange’s pool.
The attack involved flash loans from both dYdX & Uniswap. The hacker loaned over $33 Mln that was employed to generate cTokens representing ownership within the Compound pool.
The attacker then transferred the cTokens to a Balancer pool. This triggered Compound into distributing the COMP accrued by the pool within its normal operation. The hacker then thereby forced Balancer to update the pool’s balance, which at this period of time included all of the flash loaned money. The system therefore believed that the hacker was entitled to a big share of the pool’s COMP, despite not having held any money previously.
Moreover, a call to withdraw the COMP and exchange it to ETH completed the hack, that netted a comparatively small sum of about 10 COMP, worth $2,300 USD.
Hao added that this attack is somewhere similar to the $500k losses from earlier observed within today. Just like the first, this second attack relies on the peculiar way that Balancer manages its internal state.
The team has since pledged to make affected users whole. They’re also going to compensate a researcher who reported on this vulnerability earlier in May