Balanced bug report | November 2024
Balanced has a dedicated community. So much so that recently, one of our community members uncovered a critical bug while borrowing bnUSD against the new collateral types, which allowed him to withdraw collateral without repaying his debt.
This action was possible due to the “sell collateral” method on the Loans contract, which was added to the smart contracts a few years ago so people could settle their debt during the rebalancing panic. At that time, all collateral types used for loans were also liquid on the exchange, so no one noticed the problem.
But the latest collateral types did not have any liquidity to trade, so if you owned the majority of the liquidity pool for your collateral type, you could repay your debt by selling collateral to a pool you could manipulate the price of.
Rather than exploit the issue, the community member reported it to the developers, who immediately released a fix.
If discovered and exploited by a malicious actor, this issue could have inflated the bnUSD supply by up to several million, without the collateral to back it.
Previously, Balanced offered a bug bounty on Immunefi which paid out up to $100,000 for critical smart contract issues. While the Immunefi bounty is no longer active, we still reward anyone who steps forward to protect the Balanced protocol.
The critical nature of this bug qualifies for the full $100,000 reward, so the ICON Foundation will contribute $50,000 and a DAO Fund proposal will go to a vote soon to cover the other $50,000. Once live, we encourage you all to approve it to show your support for their actions.
To make sure no issues remain undiscovered, we’ve begun to engage external audit firms to re-review the Java contracts, and the ICON development team (who are more familiar with Java) will conduct a separate review of their own.