Balancer hacked twice within 24 hours, though this time is relatively small around $2,300 worth of Compound tokens (COMP)

The Balancer automated market maker protocol has been hacked for over $ 500,000 in an Ether transaction. Then, in less than 24 hours, a second attack took place, accounting for about $ 2,300 worth of Compound tokens (COMP).

COMP is the native token of Compound — a DeFi protocol that allows its users to earn interest on deposits or lend cryptocurrencies. Lending and borrowing on Compound are managed through a decentralized peer-to-peer blockchain-based protocol.

The hacker was called to a significant share of the pool’s Compound tokens (COMP)

As analyzed by the team a few hours after the incident, a carefully crafted transaction taking more than 8 million gas, or about two-thirds of an Ethereum block, stole over $ 500,000 in Ether, Wrapped Bitcoin (WBTC), Chainlink ( LINK) and Synthetix (SNX) tokens.

After that, it didn’t stop there, and the attack involved flash loans from both dYdX and Uniswap. And hackers loaned more than $ 33 million that was used to generate cTokens representing ownership in a Compound pool.

Also, an engineer at DeBank Hao said the attacker could fool the Balancer system into thinking that he owed a significant portion of the COMP tokens stored in a decentralized exchange pool. The attacker then transferred the cTokens to a Balancer pool. This triggered Compound into distributing the COMP accrued by the pool during its normal operation. The hacker then forced Balancer to update the pool’s balance, which at this point included all of the flash loaned money.

The system thus believed that the hacker was called to a significant share of the pool’s COMP, despite not having held any money previously.

According to Hao, the hackers withdrew 10 COMP and exchanged it with ETH, worth only about $ 2,300.

Hao stated that:

“The attack is similar to the $ 500,000 loss from earlier in the day. Like the first, this second attack relies on the peculiar way that Balancer manages its internal state.”

The team is committed to making the entire user affected. They will also compensate a researcher who reported the vulnerability in May.

In other happenings, in a June 29, OKEx stated that COMP spot trading against Bitcoin/USDT began at 6 AM UTC today. COMP deposits launched one hour before and withdrawals one hour after trading started.

You can also check COMP Price here.

Read more:

Follow us on Telegram

Follow us on Twitter

Follow us on Facebook

You might also like