We recently reported that the Balancer DeFit protocol suffered a $500,000 attack. Less than 24 hours later, a second attack claimed about $2,300 worth of Compound tokens (COMP).
Hao, an engineer at DeBank, tweeted that an attacker was able to fool the Balancer system into thinking he was owed a significant portion of the COMP tokens stored in the decentralized exchange’s pool.
The attack involved flash loans from both dYdX and Uniswap. The hacker loaned more than $33 million that was used to generate cTokens representing ownership in a Compound pool.
The attacker then transferred the cTokens to a Balancer pool. This triggered Compound into distributing the COMP accrued by the pool during its normal operation. The hacker then forced Balancer to update the pool’s balance, which at this point included all of the flash loaned money. The system thus believed that the hacker was entitled to a significant share of the pool’s COMP, despite not having held any money previously.
A call to withdraw the COMP and exchange it to ETH completed the hack, which netted a relatively small sum of about 10 COMP, worth $2,300.
Hao noted that the attack is similar to the $500,000 loss from earlier in the day. Like the first, this second attack relies on the peculiar way that Balancer manages its internal state.
The team has since pledged to make affected users whole. They will also compensate a researcher who reported on the vulnerability in May.