Price Rounding Down Bug Blamed for Balancer Exploit in BlockSec Report

Over the previous two weeks, Balancer and Beethoven X were attacked, resulting in $2.1 million in damages. The vulnerability and its exploitation have been ignored by the victim platforms despite the severity of the issue. BlockSec auditor has carried out an extensive analysis of the attack to figure out the reason and its effects on the community. As per the report, the Balancer exploit is caused by rounding down prices in a specific Linear pool, leading to incorrect token rates in another related pool.

Balancer’s $2.12 Million Loss Sparks Investigation into Vulnerability

After Balancer’s August 22, 2023 notification of a major vulnerability in numerous boosted pools, users were recommended to immediately remove their liquidity providers (LPs). Balancer worked hard to secure most of the Total Value Locked (TVL), however, certain funds were still vulnerable. Unfortunately, five days after the release, various attacks in their natural setting resulted in robberies totaling $2.12 million.

Three weeks after the first discovery, Balancer has not done a detailed inquiry. Decentralized automated market maker (AMM) systems like Balancer V2 generate liquidity programmably. Balancer reduces token transfers and separates token accounting and administration from pool logic. This distinguishes it from other automated market makers (AMMs) that mix these components.

Balancer Pool Tokens (BPTs) represent each pool’s LP tokens. The collective value of Blockchain-based Property Tokens (BPTs) determines their worth. Multi-hop swaps are efficient with the Vault’s batchSwap capability.

$2.12 Million Attack on Balancer and Beethoven X Raises Security Concerns

Flash swaps in Balancer’s pools erase input token reservations. Consumers can also ask the Vault to complete the transaction after noticing a difference and receiving reimbursement. The newest Balancer and Beethoven X attacks caused significant financial losses. Beethoven X, a branched protocol, was attacked shortly after the first attack, costing $1.1 million. Balancer lost roughly one million dollars. The security breach cost $2.12 million.

Further investigation revealed major differences in attack transactions between Fantom, Ethereum, and Optimism. The Fantom attacker used two methods to avoid Miner Extractable Value (MEV) bot identification and preemptive action. Financial resources for the Fantom attack were raised over 163 days.

The subtle risk of decimal rounding emphasizes the necessity for timely and efficient security communication with different agendas. Balancer earlier warned about forked protocol assaults. However, similar attacks have continued despite warnings. This emphasizes the need for forked projects to update with their founders’ security updates. However, ensuring fast interaction among community members working on different projects remains difficult.