Balanced exploit post-mortem | June 2023
On June 24th, the Balanced exchange was attacked through a smart contract exploit. The hacker successfully drained assets from the sICX/bnUSD, BTCB/bnUSD, sICX/BTCB, and BALN/sICX liquidity pools, some of which is recoverable. No other pools were directly affected, and collateral held in the Loans contract was untouched.
Although the amount is substantial and precise numbers are still being calculated, the DAO Fund will have enough funds to make everyone whole. No Balanced users will suffer a financial loss thanks to the DAO being well capitalised.
What happened?
Beginning at 21:13 UTC on June 24 (between blockheights 67534662 and 67545900), a hacker exploited a flaw in the transfer function for LP Tokens: if you transfer LP Tokens to your own address, it increased the amount of LP Tokens held by the wallet based on the amount self-transferred.
By minting LP Tokens to themselves, the attacker was able to withdraw liquidity that wasn’t theirs, then swap as much as they could into assets that could be bridged to Binance Smart Chain (BTCB; ETH; and BUSD from the Stability Fund). They also used the ICX queue to swap a lot of the funds into ICX.
While the bnUSD peg appears to be broken, it’s simply the result of erratic trading by the attacker which caused irrational pricing on the exchange. bnUSD is still overcollateralized and is expected to return to its peg.
How the community responded
The issue was first reported by Balanced community members, who noticed that bnUSD was off its peg by as much as 95%. They also reported incongruencies with a number of trades, where the amount recorded in the transaction data was much higher than the actual amount received.
These actions were taken by the ecosystem participants:
- Took the Balanced smart contracts offline
- Halted bnUSD, BALN, and sICX transfers
- Suspended transactions through ICON Bridge
- Contacted exchanges to suspend deposits
- Binance - suspended
- Kucoin - suspended (also froze the attacker’s account)
- Kraken - suspended
- ByBit - contacted
- OKX - contacted
- Notified the community
- Notified FYEO
What’s the damage?
Here’s the total amount the attacker withdrew from the liquidity pools:
- 1,302,817 bnUSD
- 3,765,291 sICX
- 4,314,543 BALN
- 7 BTCB
A lot of this was protocol-owned liquidity, and some of it was sold back to the pools in exchange for other tokens.
We were able to freeze some assets in the attacker’s wallet, which will be recoverable:
- 469,525.82 bnUSD
- 733,550.30 sICX
- 4,006,113.25 BALN
Additionally, ICON Network validators acted swiftly to vote in favour of blacklisting the attacker’s account, which currently holds ~2.1M ICX. This will be more difficult to recover for the DAO, but likely recoverable with consensus of ICON validators. Since this step was taken, the exchanges have been alerted to resume ICX transfers.
Taking the frozen funds into account, the net amount withdrawn from the pools was:
- 833,291.18 bnUSD
- 3,031,740.70 sICX
- 308,429.75 BALN
- 7 BTCB
Much of the stolen liquidity was protocol-owned, which the DAO will not reclaim. Instead, we’ll use the DAO’s remaining assets to replenish user positions. We expect that all user-held positions will be made whole.
What happens next?
The next priority is getting Balanced back online, and we hope to do so within one week, but will keep the community updated. This process entails the following:
- Claw the bnUSD, BALN, and sICX back from the attacker
- Adjust the liquidity pool balances to match the balances held before the attack, minus the protocol-owned liquidity – making all users whole
- Make sure the attacker holds no assets of value
- Deploy a fix to the DEX contract
- Resume operations on Balanced
We appreciate your patience and support during this trying time. We’ll share more updates here as we can, but for the latest developments, make sure to join the Balanced Discord channel.