Balanced exploit post-mortem | June 2023

Balanced exploit post-mortem | June 2023

On June 24th, the Balanced exchange was attacked through a smart contract exploit. The hacker successfully drained assets from the sICX/bnUSD, BTCB/bnUSD, sICX/BTCB, and BALN/sICX liquidity pools, some of which is recoverable. No other pools were directly affected, and collateral held in the Loans contract was untouched.

Although the amount is substantial and precise numbers are still being calculated, the DAO Fund will have enough funds to make everyone whole. No Balanced users will suffer a financial loss thanks to the DAO being well capitalised.

What happened?

Beginning at 21:13 UTC on June 24 (between blockheights 67534662 and 67545900), a hacker exploited a flaw in the transfer function for LP Tokens: if you transfer LP Tokens to your own address, it increased the amount of LP Tokens held by the wallet based on the amount self-transferred.

By minting LP Tokens to themselves, the attacker was able to withdraw liquidity that wasn’t theirs, then swap as much as they could into assets that could be bridged to Binance Smart Chain (BTCB; ETH; and BUSD from the Stability Fund). They also used the ICX queue to swap a lot of the funds into ICX.

While the bnUSD peg appears to be broken, it’s simply the result of erratic trading by the attacker which caused irrational pricing on the exchange. bnUSD is still overcollateralized and is expected to return to its peg.

How the community responded

The issue was first reported by Balanced community members, who noticed that bnUSD was off its peg by as much as 95%. They also reported incongruencies with a number of trades, where the amount recorded in the transaction data was much higher than the actual amount received.

These actions were taken by the ecosystem participants:

  • Took the Balanced smart contracts offline
  • Halted bnUSD, BALN, and sICX transfers
  • Suspended transactions through ICON Bridge
  • Contacted exchanges to suspend deposits
    • Binance - suspended
    • Kucoin - suspended (also froze the attacker’s account)
    • Kraken - suspended
    • ByBit - contacted
    • OKX - contacted
  • Notified the community
  • Notified FYEO

What’s the damage?

Here’s the total amount the attacker withdrew from the liquidity pools:

  • 1,302,817 bnUSD
  • 3,765,291 sICX
  • 4,314,543 BALN
  • 7 BTCB

A lot of this was protocol-owned liquidity, and some of it was sold back to the pools in exchange for other tokens.

We were able to freeze some assets in the attacker’s wallet, which will be recoverable:

  • 469,525.82 bnUSD
  • 733,550.30 sICX
  • 4,006,113.25 BALN

Additionally, ICON Network validators acted swiftly to vote in favour of blacklisting the attacker’s account, which currently holds ~2.1M ICX. This will be more difficult to recover for the DAO, but likely recoverable with consensus of ICON validators. Since this step was taken, the exchanges have been alerted to resume ICX transfers.

Taking the frozen funds into account, the net amount withdrawn from the pools was:

  • 833,291.18 bnUSD
  • 3,031,740.70 sICX
  • 308,429.75 BALN
  • 7 BTCB

Much of the stolen liquidity was protocol-owned, which the DAO will not reclaim. Instead, we’ll use the DAO’s remaining assets to replenish user positions. We expect that all user-held positions will be made whole.

What happens next?

The next priority is getting Balanced back online, and we hope to do so within one week, but will keep the community updated. This process entails the following:

  • Claw the bnUSD, BALN, and sICX back from the attacker
  • Adjust the liquidity pool balances to match the balances held before the attack, minus the protocol-owned liquidity – making all users whole
  • Make sure the attacker holds no assets of value
  • Deploy a fix to the DEX contract
  • Resume operations on Balanced

We appreciate your patience and support during this trying time. We’ll share more updates here as we can, but for the latest developments, make sure to join the Balanced Discord channel.

9 Likes

Good job ! Well handled ! Hat off!

1 Like

Job well done keeping Balanced alive. This could have been worse, in the same sense it could have been better.

A couple of questions about the 3 ICON based DAPP airdrops that have had a tough time.

For the Snow token investors that bought SNOW from Everest is there going to be a way to sell Snow over the next five years. Even though snow is no longer worth money it is still usable to lower future crypto profits because you can sell it for a loss during years you make money from other investments, in a sense it is a huge benefit to be able to sell a token even if it is for “0.”

The reason I bring up that topic on this forum is that BALN holders were almost in the same situation of a token worth “0.” Omm was almost in the same situation months back. Both of these DAPPS swimming in an ocean, trying their best, have top notch teams and laying foundations on a top notch blockchain, but with the major dilemma that these two applications are faced with, “bad actors,” “hackers,” surrounding the waters. Sharks looking to devour and take advantage of any mistake, these apps need constant funding during setbacks due to the environment they live in, not patchwork after a shark bite. Not being ok, great let’s amputate both legs. We should have the mindset of let’s do surgery and try to save both legs. OMM faced amputation, imo, will the same be said about Balanced, only time will tell.

If the hacking trajectory continues the best use case for our tokens is to sell for a loss to minimize crypto taxes, but this may be 5 to 6 years out when one may want to sell.

We had one exchange offering to list BALN months ago on this forum but we turned that down for protocol owned liquidity, which we don’t have anymore after this hack, what seems to be give or take a1 million dollar hack on a 2.5 million dollar market cap coin.

So we need another exchange to list BALN if our token goes to “0.” Even if the value is zero we would still get tax benefits for the sale.

Also if BALN goes under that kills Craft and every other ICON token that would need a service to sell their tokens for a loss for the years to come.

These are the realities we need to be thinking about for the investors that believed in the growth stories of these ICON DAPPS and actually invested in these ICON sub tokens.

Now to positive thinking…

ICON could give grants, much more than CPS funding, to DAPPS that are the most at risk of attacks, swimming in the waters, actually creating use cases for their blockchain and increasing the value of $ICX. We need support now like never before. You see Balanced carries so much risk in so many different directions it is not comprehensible, which is why we still got hacked even after being audited by FYEO. I’m not sure FYEO would want Balanced advertising at this point.

The truth is Balanced is the heartbeat for all of ICON based token DAPPS, with some projects close to a million dollar market cap. Without Balanced your ICON project token would be worthless. Without Balanced we lose the perfect vehicle to use ICON cross chain efforts with a slick application. The community needs to get behind support for Balanced to fully recover, or be even stronger than they were pre hack. Currently it looks like amputations and wishful thinking, we can do better.

1 Like

The Balanced Restart and Recovery vote is now underway, and ends in 2 days.

1 Like

BIP39 has been approved, and Balanced has now resumed all operations.

  • Liquidity pool prices have been corrected
  • All user liquidity positions have been restored

A big thanks to everyone who helped get Balanced back online within a week without any financial loss to users.


By attacking our contracts, the hacker only made Balanced stronger.

They exposed a flaw which has now been fixed, and the community are evaluating additional measures to limit Balanced’s risk exposure and improve response time.

Join them in this discussion:

1 Like