DeFi Balancer: Attacked In Lightning Loan Attack

Balancer was attacked by hackers in a lightning loan attack, resulting in a loss of US$500,000. Balancer is an AMM market that uses a constant product. Assets in the pool can be exchanged at the current interest rate of the pool under the premise of observing the constant product. This lightning loan attack uses According to this principle, after one asset is hollowed out, another asset is used to obtain it at a very low price, resulting in a profit close to US$500,000.

Attack steps:

  • 1. The attacker goes to dYdX to borrow 104k WETH;
  • 2. The attacker continuously exchanged the WETH obtained in step 1 into STA tokens in the WETH-STA pool of the Balancer. After 21 times, the STA in the pool was emptied, leaving only 1weiSTA (due to the deflation model, at least The remaining 1weiSTA is in the pool);
  • 3. The attacker uses 1weiSTA to continuously obtain WETH in the pool according to the constant product formula. The prices are 1weiSTA: 30,347WETH, 1weiSTA: 15,173WETH, etc. After 18 exchanges, WETH is almost empty;
  • 4. In the same way, the attacker also performed the same operation on the WBTC-STA, SNX-STA, and LINK-STA pools;
  • 5. The attacker returns 104k WETH to dYdX;
  • 6. The attacker puts a small amount of STA(50weiSTA) obtained into the Balancer pool to add liquidity. Because the number of STAs in the pool is very small, only 1weiSTA, the attacker has obtained a high LP share at this time. These shares Can get token rewards from the pool, a total of 136k STA has been obtained;
  • 7. The attacker exchanged 136k STA for 109 WETH, thus completing the entire attack process.

After the attack is complete, the attacker transfers the obtained coins to 0xbf675c80540111a310b06e1482f9127ef4e7469a. All operations on this address are performed by Tornado because it cannot be traced back.


  • 455 WETH ($100k worth)
  • 2.4m STA ($100k worth) and converted it to 109 WETH ($25k worth)
  • 11.36 WBTC ($100k worth)
  • 60.9k SNX ($100k worth)
  • 22.6k LINK ($100k worth)