Update #2: Incident with non-standard ERC20 deflationary tokens

Our long term vision is for Balancer protocol to be a leading DeFi building block, eventually holding billions of dollars worth of assets. Since our launch, we have been humbled by the increase in usage of Balancer and believe we are on the right path to achieve this goal.

The sudden surge in users and liquidity we had last week left us playing catch up on scaling the platform, having played a major role in the outages of both TheGraph and Coingecko’s api. Even with such rapid growth, we did (and still do) our best for our users to understand the risks involved in dealing with Balancer as it matures and becomes a battle-tested protocol.

This post aims to detail the thought process the Balancer Labs team went through to decide on reimbursing all the liquidity providers who lost funds in yesterday's incident. It only affected about 0.36% of the total liquidity on Balancer pools, but was definitely not taken lightly by the team.

In a nutshell:

• The Balancer team received a bug bounty report by Hex_Capital on May 6th.
• It was clear to us even before the report that unintended arbitrage opportunities and possible unknown attack vectors could be caused by deflationary assets in Balancer pools. Balancer protocol was not designed with all the infinite possible non-standard ERC20 tokens in mind. We consistently reminded users in discord and our docs that transfer fee tokens could cause unintended side effects. However, we obviously did not think that draining a pool in a single transaction with a deflationary token was possible without the opportunity for arbitrageurs to sync the balance.
• The bug bounty report describes in detail the attack that happened. Our team however did not think it would be a practical attack because of the enormous amounts of funds and also gas we thought would be required for bringing the balance of the deflationary token to near 0 in a single atomic transaction.
• We at Balancer Labs are all human beings working a lot and under a lot of stress. Unfortunately we are bound to make mistakes and wrong decisions and thinking the attack was not viable was most definitely one of them. We sincerely apologize to Ankur Agrawal (Hex_Capital) who submitted the report and will award them the maximum amount available in our current bug bounty.
• We also apologize to all the affected users of our protocol who put their trust in us by being early adopters and supporters. All the users who lost funds in this attack will be reimbursed with the exact balance in each of the pooled tokens that their BPT (pool shares) would entitle them at the moment immediately before the attack. The reimbursement of the deflationary tokens that made the attack possible, STA and STONK, will be made by their respective teams. The reimbursement of the other tokens by Balancer Labs will happen as soon as possible, though we cannot promise any hard dates as the operational details must still be figured out.

This is NOT a precedent for Balancer Labs reimbursing eventual future losses on the protocol

Let us make this very clear:

Balancer Labs will only reimburse the losses of liquidity providers in this attack because we believe we could and should have done better in avoiding this, given the context of the bug bounty report we received prior to the attack

This is not setting a precedent to any possible future losses that may happen when using Balancer protocol. There are risks involved in using any smart contract on Ethereum and DeFi. Users must know this and assume the risks.

We’d like to emphasize that no smart contract can guarantee the behavior of any custom token they are not the tracker of. Any non-standard behavior may break Balancer pools, including (but of course not limited to): USDC in a pool being frozen by the USDC contract admin, DAI suffering an emergency shutdown, MKR suffering near-infinite supply inflation, etc.

Balancer is public, open source smart contract infra-structure that can be used by anyone. It is totally censorship resistant and permissionless: Balancer Labs and the Balancer community in general want it to remain so. Balancer Labs will however review a lot of the warning messages and procedures that allow adding liquidity in customized tokens. We will stress even more the risks in adding liquidity in non-standard ERC20 tokens and in certain cases completely blacklist them from our UI.

Conclusion and Next Steps

I want to repeat that we are very sorry to have let you down and promise to do better in the future. Our immediate next actions are, among others:

• Revamp our bug bounty review process
• Significantly raise the awards for the different levels of vulnerabilities in the bug bounty program
• Start a third major audit, now with OpenZeppelin: this was already planned before yesterday's incident
• Put together, hopefully by the end of the week, a more detailed explanation of how the reimbursement process will be carried out