How does balancer prevent flash loan attack

how does balancer prevent flash loan attack

Can you describe the type of flash loan attack you have in mind? There’s really nothing to attack. Flash loans can certainly be used for arbitrage on Balancer, but arbitrage is standard behavior that is completely necessary for rebalancing pools properly. Most flash loan attacks exploit oracles or some smart contract logic requiring the use of oracles, and Balancer does not utilize oracles at the protocol level.

Last June, hacker use gulp() and swapExactAmountIn() to carry out an attack(Attacker steals $500k worth of crypto from Balancer Pool - Decrypt). But after that, Balancer did not update these codes. So what I am curious about is what measures they have taken to prevent this attack.

Yes, that attack applied specifically to a deflationary token. Such tokens are officially unsupported by Balancer. It’s a permissionless platform, so anyone can make such a pool, but it will be vulnerable to attack. For that reason, we blacklist all known deflationary tokens from the UI to prevent unknowing users from getting attacked. But there’s nothing else that can be done. There will always be some attack vector present in any permissionless protocol for a token that doesn’t conform to standard behavior, as there are an infinite number of possible nonconformances.

The reason for this is because ERC-20 is not a library that all tokens inherit - it’s a standard that all tokens “should” follow. So the whole ecosystem, out of necessity, makes a bunch of assumptions about how these tokens “should” behave and designs around those desired behaviors. But if a token doesn’t conform to those behaviors, it can be dangerous.

Any tokens knowingly exhibiting incorrect behavior are blacklisted, and only tokens knowingly exhibiting correct behavior are whitelisted. Any token that is neither whitelisted nor blacklisted should be used with caution as its smart contract has not been vetted for compatibility with Balancer. Requests for whitelisting can be made at any time in our #token-requests channel in Discord. The UIs will display warnings for all tokens that have not yet been whitelisted and outright refuse to display tokens that are blacklisted. It’s all we can do to try to keep users safe.

1 Like