About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Balancer DoS Bugfix Review- 893

ImmunefiPosted 3 Years Ago
  • Balancer is a specialized AMM that allows trading pools of more than 2 coins. Most of the time, these pools are 2 coins, where the price is self balancing and really simple: Balance of token A * Balance of token B = Constant product called the "constant product" equation. The adaption is to generalize this formula to work for more than 2 tokens they called weighted math.
  • The algorithm above allows for an algorithm to facilitate trades by calculating its own price. If there is less of one token, then this one goes up in price. AMMs are a fascinating concept! Balancer also has a flash loan functionality built into each pool. This is a borrow that can be performed without providing any assets in return; this has the major caveats of ONLY working if it is returned in a single transaction.
  • To perform a flash loan, a function call is performed with a list of tokens and their values to retrieve. In order to ensure that money is repaid at the end of the block, the original cost of each token is kept track of. This is checked at the end of the call to ensure that they are the same and the fee is also taken for the service.
  • An additional piece of information to understand this is proxies. Proxies allow the contract to be editable by having one base contract have the storage then send future calls to another contract, which is the current version. At this point, contract has two entrypoints: the proxy and the implementation. Several ERC20 tokens allow for this, such as sBTC and SNX.
  • The vulnerability is within the handling of double entrypoint tokens. Both the proxy and token address can be specified in the call. The first coin will appear to have all of the money, while the initial will have none of the money. When this is inserted back into the contract, (as required), the excess money will all go to the fees contract. This sends a MAJOR excess of money from the contract to the fees collector, causing a DoS on the pool.
  • This is an interesting bug for a very weird edge case of ERC20 tokens. This required a deep understanding of token implementations and the Balancer contract as a whole. This was only a partial denial of service, but was still interesting none-the-less.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed