Bug Bounty Progress Disclosure

Bug Bounties — Another Key Step to Strengthen the Security of the Balancer Protocol

Security has always been the top priority at Balancer. The team is committed to safer DeFi, and all reported potential vulnerabilities are investigated thoroughly. The Balancer bug bounty program is among the largest in DeFi, with maximum payouts of 1000 ETH.

TL;DR:

• Two potentially exploitable scenarios have been identified by white hat hackers.
• Fixes were engineered, and bug bounty payouts were made.
• Funds are safe, and the issues were never exploited.

On May 14th and 15th, the Balancer Labs team was notified about two potentially exploitable scenarios. White hat hackers disclosed these vulnerabilities via an email report and through the bug bounty platform Immunefi. Balancer Labs took immediate action to assess both reports and remedy potential vulnerabilities.

What happened?

The first reported issue was related to Stable and Managed Pools. User funds were not at risk at any time as the exploit could only be executed by Pool owners or Balancer Governance composed of known participants in the Balancer ecosystem. In particular, Balancer Governance on Ethereum Mainnet (which holds the vast majority of funds) represents a 6-of-11 multisig owned by reputable members of the Web3 community. Balancer Labs took immediate measures to reduce any chance of the exploit and engineered a fix to the vulnerability.

The second reported issue pertained to a potential Denial of Service (DoS) scenario that involved double entry-point ERC20 tokens, including but not limited to Synthetix tokens (e.g. SNX, sBTC) and Balancer Flash Loans. The Balancer Labs team created a contract to move the affected funds and restore normal operation. A proposal was launched on Snapshot and passed, and normal operation has since resumed.

Payout Details

Bounty payouts were allocated according to the severity of the potential exploits. For the first issue, classified as High severity, albeit on the lower end of the spectrum, a cumulative 100k USD was paid out (50k USD and 50k USD for the two bug bounty claimers). The second potential exploit, classified as Medium severity, resulted in one 50k USD claim. We would like to thank @k_besic from @chain_security, @gpersoon and @shw9453 for their hard work securing the Protocol.

Key Takeaways

We treat moments like these as a chance for self-reflection. This event highlighted several key areas for potential improvement to Balancer’s process. In the spirit of transparency and collaboration, we would like to share some of the most important takeaways with you.

Decentralization Spawns Complexity

Balancer has grown immensely since its 2020 inception. Early in our lifecycle, our release process was simpler, involving coordination with only a handful of other Protocols. Although tremendously valuable for decentralization, bridges, projects building on top of Balancer, and friendly forks add complexity to releases. The Synthetix tokens issue required synchronization with the Synthetix team to release a remedy on Optimism and Mainnet. Fortunately, we were able to handle this patch proactively. Nevertheless, it is clear that the ecosystem will soon be far too large for this to remain practical, and we will need to find better tools for coordination.

Bug Bounty Programs are a Necessity

The two bounty submissions demonstrated the importance of a strong bug bounty program as a critical step to strengthening the security of Balancer Protocol. Projects should be looking to develop bug bounty programs, and if you are a white hat hacker, we encourage you to check out our Immunefi bug bounty program.

Payout Update

Starting August 1st, the USD bug bounty will be temporarily reduced by 50%. However, the ETH amounts will remain the same to continue to incentivize and support good-faith white hat hackers who share the vision of protecting and strengthening the security of the Balancer Protocol.

Balancer Bug Bounty on Immunefi

In May 2022, Balancer Labs launched a bug bounty program on Immunefi- a web3 bug bounty platform. The bug bounty program focused on the Balancer Protocol’s Smart Contracts with the objective of preventing the use of the Balancer Protocol in an unintended manner. A full list of the assets in scope can be found in the bounty description.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.1. All critical/high severity bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward.

About Balancer

Balancer’s mission is to accelerate innovation in DeFi by providing access to secure infrastructure for liquidity applications. As a core building block of DeFi, Balancer Protocol is community driven and is reliable, open-source, and permissionless. Projects build on Balancer to create new, innovative types of pools and financial dApps.

Website | Twitter | Discord| Forum | Immunefi Bug Bounty| Docs

Communications from Balancer Labs OU are intended solely for informational purposes, and should not be construed as investment or trading advice and are not meant to be a solicitation or recommendation to buy, sell, or hold any tokens mentioned. All figures are estimated and unaudited unless otherwise noted. As a technology company, Balancer Labs OU provides access to software.