Balancer 被盗 1.2 亿美元漏洞技术分析

Solidity
function onSwap(
SwapRequest memory swapRequest,
uint256[] memory balances,
uint256 indexIn,
uint256 indexOut
) external override onlyVault(swapRequest.poolId) returns (uint256) {
_beforeSwapJoinExit();

_validateIndexes(indexIn, indexOut, _getTotalTokens());
uint256[] memory scalingFactors = _scalingFactors();

return
swapRequest.kind == IVault.SwapKind.GIVEN_IN
? _swapGivenIn(swapRequest, balances, indexIn, indexOut, scalingFactors)
: _swapGivenOut(swapRequest, balances, indexIn, indexOut, scalingFactors);
}

Solidity
BPT 价格 = D / totalSupply

其中 D = 不变值（Invariant），来自 Curve 的 StableSwap 模型

Solidity
// StableMath._calcOutGivenIn
function _calcOutGivenIn(
uint256 amplificationParameter,
uint256[] memory balances,
uint256 tokenIndexIn,
uint256 tokenIndexOut,
uint256 tokenAmountIn,
uint256 invariant
) internal pure returns (uint256) {
/**************************************************************************************************************
// outGivenIn token x for y - polynomial equation to solve//
// ay = amount out to calculate//
// by = balance token out//
// y = by - ay (finalBalanceOut)//
// D = invariantDD^(n 1)//
// A = amplification coefficienty^2 ( S ----------- D) * y -------------- = 0//
// n = number of tokens(A * n^n)A * n^2n * P//
// S = sum of final balances but y//
// P = product of final balances but y//
**************************************************************************************************************/

// Amount out, so we round down overall.
balances[tokenIndexIn] = balances[tokenIndexIn].add(tokenAmountIn);

uint256 finalBalanceOut = _getTokenBalanceGivenInvariantAndAllOtherBalances(
amplificationParameter,
balances,
invariant,// 使用旧的D
tokenIndexOut
);

// No need to use checked arithmetic since `tokenAmountIn` was actually added to the same balance right before
// calling `_getTokenBalanceGivenInvariantAndAllOtherBalances` which doesn't alter the balances array.
balances[tokenIndexIn] = balances[tokenIndexIn] - tokenAmountIn;

return balances[tokenIndexOut].sub(finalBalanceOut).sub(1);
}

Solidity
// StableMath._calculateInvariant
function _calculateInvariant(uint256 amplificationParameter, uint256[] memory balances)
internal
pure
returns (uint256)
{
/**********************************************************************************************
// invariant//
// D = invariantD^(n 1)//
// A = amplification coefficientAn^n S D = A D n^n -----------//
// S = sum of balancesn^n P//
// P = product of balances//
// n = number of tokens//
**********************************************************************************************/

// Always round down, to match Vyper's arithmetic (which always truncates).

uint256 sum = 0; // S in the Curve version
uint256 numTokens = balances.length;
for (uint256 i = 0; i < numTokens; i ) {
sum = sum.add(balances[i]); // balances 是缩放后的值
}
if (sum == 0) {
return 0;
}

uint256 prevInvariant; // Dprev in the Curve version
uint256 invariant = sum; // D in the Curve version
uint256 ampTimesTotal = amplificationParameter * numTokens; // Ann in the Curve version

// 迭代计算 D...
// D 的计算影响 balances 的精度
for (uint256 i = 0; i < 255; i ) {
uint256 D_P = invariant;

for (uint256 j = 0; j < numTokens; j ) {
// (D_P * invariant) / (balances[j] * numTokens)
D_P = Math.divDown(Math.mul(D_P, invariant), Math.mul(balances[j], numTokens));
}

prevInvariant = invariant;

invariant = Math.divDown(
Math.mul(
// (ampTimesTotal * sum) / AMP_PRECISION D_P * numTokens
(Math.divDown(Math.mul(ampTimesTotal, sum), _AMP_PRECISION).add(Math.mul(D_P, numTokens))),
invariant
),
// ((ampTimesTotal - _AMP_PRECISION) * invariant) / _AMP_PRECISION (numTokens 1) * D_P
(
Math.divDown(Math.mul((ampTimesTotal - _AMP_PRECISION), invariant), _AMP_PRECISION).add(
Math.mul((numTokens 1), D_P)
)
)
);

if (invariant > prevInvariant) {
if (invariant - prevInvariant <= 1) {
return invariant;
}
} else if (prevInvariant - invariant <= 1) {
return invariant;
}
}

_revert(Errors.STABLE_INVARIANT_DIDNT_CONVERGE);
}

Solidity
// BaseGeneralPool._swapGivenIn
function _swapGivenIn(
SwapRequest memory swapRequest,
uint256[] memory balances,
uint256 indexIn,
uint256 indexOut,
uint256[] memory scalingFactors
) internal virtual returns (uint256) {
// Fees are subtracted before scaling, to reduce the complexity of the rounding direction analysis.
swapRequest.amount = _subtractSwapFeeAmount(swapRequest.amount);

_upscaleArray(balances, scalingFactors);// 关键：放大余额
swapRequest.amount = _upscale(swapRequest.amount, scalingFactors[indexIn]);

uint256 amountOut = _onSwapGivenIn(swapRequest, balances, indexIn, indexOut);

// amountOut tokens are exiting the Pool, so we round down.
return _downscaleDown(amountOut, scalingFactors[indexOut]);
}

Solidity
// ScalingHelpers.sol
function _upscaleArray(uint256[] memory amounts, uint256[] memory scalingFactors) pure {
uint256 length = amounts.length;
InputHelpers.ensureInputLengthMatch(length, scalingFactors.length);

for (uint256 i = 0; i < length; i) {
amounts[i] = FixedPoint.mulDown(amounts[i], scalingFactors[i]); // 向下舍入
}
}

// FixedPoint.mulDown
function mulDown(uint256 a, uint256 b) internal pure returns (uint256) {
uint256 product = a * b;
_require(a == 0 || product / a == b, Errors.MUL_OVERFLOW);

return product / ONE; // 向下舍入：直接截断
}

Plain Text
攻击者: BPT → cbETH
目标: 使 cbETH 余额调整到舍入边界（如末位是 9）

假设初始状态:
cbETH 余额（原始）: ...000000000009 wei (末位是 9)

Plain Text
攻击者: wstETH (8 wei) → cbETH

缩放前:
cbETH 余额: ...000000000009 wei
wstETH 输入: 8 wei

执行 _upscaleArray:
// cbETH 缩放: 9 * 1e18 / 1e18 = 9
// 但如果实际值是 9.5，由于向下舍入变成 9
scaled_cbETH = floor(9.5) = 9

精度损失: 0.5 / 9.5 = 5.3% 的相对误差

计算交换:
输入 (wstETH): 8 wei (缩放后)
余额 (cbETH): 9 (错误，应该是 9.5)

由于 cbETH 被低估，计算出的新余额也会被低估
导致 D 计算错误:
D_original = f(9.5, ...)
D_new = f(9, ...)< D_original

Plain Text
攻击者: 底层资产 → BPT

此时:
D_new = D_original - ΔD
BPT 价格 = D_new / totalSupply < D_original / totalSupply

攻击者用较少的底层资产换得相同数量的 BPT
或用相同的底层资产换得更多的 BPT

Solidity
// Vault 调用 onSwap 时的逻辑
function _processGeneralPoolSwapRequest(IPoolSwapStructs.SwapRequest memory request, IGeneralPool pool)
private
returns (uint256 amountCalculated)
{
bytes32 tokenInBalance;
bytes32 tokenOutBalance;

// We access both token indexes without checking existence, because we will do it manually immediately after.
EnumerableMap.IERC20ToBytes32Map storage poolBalances = _generalPoolsBalances[request.poolId];
uint256 indexIn = poolBalances.unchecked_indexOf(request.tokenIn);
uint256 indexOut = poolBalances.unchecked_indexOf(request.tokenOut);

if (indexIn == 0 || indexOut == 0) {
// The tokens might not be registered because the Pool itself is not registered. We check this to provide a
// more accurate revert reason.
_ensureRegisteredPool(request.poolId);
_revert(Errors.TOKEN_NOT_REGISTERED);
}

// EnumerableMap stores indices *plus one* to use the zero index as a sentinel value - because these are valid,
// we can undo this.
indexIn -= 1;
indexOut -= 1;

uint256 tokenAmount = poolBalances.length();
uint256[] memory currentBalances = new uint256[](tokenAmount);

request.lastChangeBlock = 0;
for (uint256 i = 0; i < tokenAmount; i ) {
// Because the iteration is bounded by `tokenAmount`, and no tokens are registered or deregistered here, we
// know `i` is a valid token index and can use `unchecked_valueAt` to save storage reads.
bytes32 balance = poolBalances.unchecked_valueAt(i);

currentBalances[i] = balance.total(); // 从存储读取
request.lastChangeBlock = Math.max(request.lastChangeBlock, balance.lastChangeBlock());

if (i == indexIn) {
tokenInBalance = balance;
} else if (i == indexOut) {
tokenOutBalance = balance;
}
}

// 执行交换
// Perform the swap request callback and compute the new balances for 'token in' and 'token out' after the swap
amountCalculated = pool.onSwap(request, currentBalances, indexIn, indexOut);
(uint256 amountIn, uint256 amountOut) = _getAmounts(request.kind, request.amount, amountCalculated);
tokenInBalance = tokenInBalance.increaseCash(amountIn);
tokenOutBalance = tokenOutBalance.decreaseCash(amountOut);

// 更新存储
// Because no tokens were registered or deregistered between now or when we retrieved the indexes for
// 'token in' and 'token out', we can use `unchecked_setAt` to save storage reads.
poolBalances.unchecked_setAt(indexIn, tokenInBalance);
poolBalances.unchecked_setAt(indexOut, tokenOutBalance);
}

Solidity
// BaseGeneralPool._swapGivenIn
function _swapGivenIn(
SwapRequest memory swapRequest,
uint256[] memory balances,
uint256 indexIn,
uint256 indexOut,
uint256[] memory scalingFactors
) internal virtual returns (uint256) {
// Fees are subtracted before scaling, to reduce the complexity of the rounding direction analysis.
swapRequest.amount = _subtractSwapFeeAmount(swapRequest.amount);

_upscaleArray(balances, scalingFactors); // 原地修改数组
swapRequest.amount = _upscale(swapRequest.amount, scalingFactors[indexIn]);

uint256 amountOut = _onSwapGivenIn(swapRequest, balances, indexIn, indexOut);

// amountOut tokens are exiting the Pool, so we round down.
return _downscaleDown(amountOut, scalingFactors[indexOut]);
}
// 虽然 Vault 每次传入新数组，但：
// 1. 如果余额很小（8-9 wei），缩放时精度损失大
// 2. 在 Batch Swap 中，后续交换基于已损失精度的余额继续计算
// 3. 没有验证不变值 D 的变化是否在合理范围内