N/A

N/A

HomeArchives

Balancer Vulnerability Analysis

39
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses various modules and potential attack vectors related to Balancer's liquidity pools. 1. **Modules**: - **batchSwap**: Allows for flexible token swaps similar to Uniswap V4, settling only at the end of the transaction. - **Composable Pools**: Enable swapping of LST tokens with similar underlying assets, with exchange rates based on the ratio of LST to underlying assets. - **Linear Pools**: Round up the amount in and down the amount out during transactions, initializing when the virtual supply is zero, allowing for a 1:1 exchange of LST tokens and underlying assets. 2. **Attack Vectors**: - The "minting" mechanism in batchSwap can create LST tokens to fill the virtual supply, facilitating the initialization of linear pools. - Rounding in linear pools can lead to imbalanced exchange ratios, especially when the asset proportions are disparate. - In composable pools, increasing the price of one LST can allow for discounted exchanges of other LSTs. 3. **Main Process**: - A series of swaps are executed, starting with the exchange of USDC for LST in a linear pool, followed by transactions that exploit rounding mechanisms to manipulate the pool's balance and initialize it, ultimately allowing for profitable exchanges. 4. **Comparison to zkLend Attack**: - The document draws parallels to a previous attack on zkLend, where rounding errors were exploited. It describes a specific strategy involving borrowing and trading BPTs to manipulate exchange rates for profit. 5. **References**: Links to further readings on Balancer's incident and related topics are provided.

1. Related Modules:#

1) batchSwap
In the Balancer Vault, batchSwap provides arbitrary combination swaps similar to Uniswap V4—settlement occurs only after the transaction is completed.
Tokens can be minted in any quantity during the process, and users only need to pay for the final settlement result.

2) Composable Pools
LST tokens with similar underlying assets (such as peg) can be exchanged in Composable Pools, with the exchange ratio depending on the ratio of "LST to underlying asset quantity" in the original linear pool. The larger the {underlying asset/LST}, the higher the value of that LST in the composable pool.

3) Linear Pools
Balancer's linear pools round up the amount in and round down the amount out during transactions.
When the pool's Virtual supply is zero, the pool will initialize, at which point LST tokens are exchanged 1:1 with the underlying asset.
(Virtual supply = totalSupply - linear pool balance
where Virtual supply is the actual issuance of LST tokens, totalSupply is a constant, and linear pool balance represents the pre-minted amount)

2. Available Attack Vectors#

1) The "minting" mechanism of BatchSwap: LST tokens can be minted during the transaction to fill the Virtual supply, providing conditions for initializing the linear pool.

2) The rounding mechanism of linear pools: Using LST to exchange for underlying assets, the rounded down amount out can cause an imbalance in the exchange ratio of the linear pool, especially when the original asset ratios in the linear pool are disparate.
Imbalance manifestation: {underlying asset/LST} is too large

3) The exchange ratio mechanism of composable pools: According to the characteristics of composable pools, raising the price of a certain LST can allow for the exchange of other LSTs at a discounted price.

3. Main Process:#

  1. The first swap (USDC linear pool): The "minted" USDC BPT (the LST mentioned above) exchanges for most of the USDC in the linear pool.

  2. The second swap (USDC linear pool): A transaction is constructed where the amount out is set to 0. The linear pool's {underlying asset/LST} becomes extremely large due to the rounding mechanism.

  3. The third swap (composable pool): The DAI/USDT BPT in the composable pool is exchanged for USDC BPT at a low price.

  4. The fourth swap (USDC linear pool): USDC BPT is injected into the linear pool, making VirtualSupply=0, initializing the linear pool.

  5. The fifth swap (USDC linear pool): USDC is exchanged for USDC BPT at a 1:1 ratio to repay the "minted" loan.

The fifth step is essential: The precision of USDC is lower than that of USDC BPT, and the rounding-induced balance tilt in the linear pool is one-sided; only the fifth step can provide sufficient USDC BPT while retaining DAI/USDT BPT.

4. Association#

In the zkLend attack, the attacker first made the value of lending_accumulator extremely large, then used the rounding mechanism to exchange a small amount of wstETH for a larger amount of wstETH.

The rounding in zkLend rounds down (core payload), and Balancer's linear pool has the same issue, but the Balancer attacker did not take this path.

The specific implementation is:

  1. "Borrow" BPT at a rate of 1 > (flash loan) and trade it for main and wrapped, reducing the token balance to near zero.
  2. Create a transaction that utilizes the rounding error of GivenOut swaps to make the total balance equal to the virtual supply, thus resetting the exchange rate to 1 (because exchange rate = balance/supply).
  3. Repay the flash loan BPT at the new lower rate to make a profit.

5. References#

https://medium.com/balancer-protocol/rate-manipulation-in-balancer-boosted-pools-technical-postmortem-53db4b642492

https://slowmist.medium.com/review-and-recommendations-of-balancer-incident-d2b31b5bd863

https://mp.weixin.qq.com/s/eHStMzKZjSs6y1ka2X5_lQ

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.