After a hack resulting in the loss of $200 million last month, Balancer is under attack again, this time on the protocol frontend. What can be done about it?
The DeFi Balancer protocol suffers a frontend hack
Barely a month ago, the decentralized finance protocol (DeFi) Balancer (BAL) suffered a major hack to the tune of $200 million, resulting in the loss of around 20% of the total value locked (TVL) on the application.
Today, Balance is facing a new attack, this time affecting the protocol’s frontend. As a result, the project teams have called for the website not to be used until further notice:
The balancer frontend is under an attack. The issue is currently under investigation. Please do NOT interact with the balancer UI until further notice!
– Balancer (@Balancer) September 19, 2023
Unlike a hack on smart contracts, a frontend attack will act in a much more insidious way. In fact, the first type of attack seeks to exploit a flaw in an application’s source code, in order to divert the cash deposited in it. Front-end attacks, on the other hand, target the user interface.
From there, several possibilities can be envisaged. One is to try to get victims to approve a fraudulent smart contract, by attacking the Domain Name System (DNS) provider to replace a legitimate smart contract with malicious code.
The amount of the losses is still unclear
At the time of writing, the consequences of this attack were still unclear, although this one seems much more measured than last month’s.
According to blockchain security firm PeckShield, at least the equivalent of $238,000 was stolen:
PeckShieldAlert @Balancer has reported that its frontend under an attack, ~$238k worth of cryptos were stolen https://t. co/aAaj0Xqery pic.twitter.com/YDIjfnNYM4
– PeckShieldAlert (@PeckShieldAlert) September 20, 2023
In addition, a portion of the stolen ETH was exchanged for AVAX, and then sent to a deposit address on the MEXC cryptocurrency exchange.
For those thinking they may have approved a fraudulent smart contract, whether on Balancer or elsewhere, it’s important to remove these approvals quickly, before they lead to a potential drain on funds. To do this, tools such as revoke.cash can be used, as can the “Token Approvals” sections of blockchain explorers such as Etherscan or Polygonscan, depending on the blockchain being used.
In addition to the previous month’s hack, Balancer had also warned of another problem at the beginning of the year, calling on its users to withdraw certain liquidities from the pools.
The BAL token is down 1.3% at the time of writing, at $3.29 each. Since its all-time high during the last bull market, the asset’s price has been devalued by over 95%.
