[BIP-794] Enable Composable Stable Pool Pause functionality to Hypernative

PR with Payload

HYPERNATIVE – Balancer V2 Protocol

Version: 1.0

Updated: 20 January 2025

Summary

We propose to be given the authority to pause composable stable pools for Balancer v2, by installing a safe module to the Emergency SubDAO multi-sig to allow for quick threat mitigation and securing of funds in case of a security incident with Balancer.

Motivation

Given that composable stable pools on Balancer hold a significant amount of TVL, it is crucial to improve security measures. One of these measures is the possibility to pause a specific pool type. Upon pausing, it is not possible to trade in a pool but proportional withdrawals are still possible. By installing a safe module managed by Hypernative’s real-time monitoring platform will enhance the resiliency and security of the protocol and augment the team’s security operations while minimizing the risk of hacks and exploits, loss of funds and prevent catastrophic loss to create long-term sustainable growth.

Specification

The Balancer Emergency subDAO Safe on each network will install a safe Module to enable Hypernative to pause pools. A Module is a smart contract that executes a predefined set of instructions on behalf of the Safe address, pre-approved by the Safe signers, and capable of executing these instructions automatically. In this case, the instruction is to call the pause method for each Balancer pool. The module is attached via the Safe’s enableModule function.

The Safe Module is triggered by hacks or exploits detected in Balancer’s contracts by the Hypernative system. Hypernative scans blockchains in real-time and detects hacks & exploits using its machine learning model, from the moment of a deployed malicious smart contract targeting Balancer’s contracts to executing malicious transactions.

The list of pools is automatically updated whenever the PoolRegistered event is emitted on-chain, though the Balancer team can override this list if necessary.

Enabling the Safe Module: Sepolia Transaction Hash (Txhash) Details | Etherscan

Currently deployed Balancer pools:
https://dune.com/queries/4080393

Only CSPv6 pools are pausable, currently deployed on:

• Ethereum
• Base
• Optimism
• Polygon
• Gnosis
• Arbitrum
• Avalanche
• zkEVM

Corresponding modules will be configured on the above chains

Payload:

Function: execTransaction(address to, uint256 value, bytes data, uint8 operation, uint256 safeTxGas, uint256 baseGas, uint256 gasPrice, address gasToken, address refundReceiver, bytes signatures) ***

MethodID: 0x6a761202

Risk Assessment and Testing

Before coming forward with this proposal, a rigorous internal test has been conducted.

Key Components of the Test:

1. Test Environment: The test was conducted on the Sepolia testnet to simulate a scenario where Balancer core contracts are compromised, requiring an emergency response to pause vaults.
2. Watchlist Creation: Hypernative created a watchlist to monitor for hacks and exploits targeting Balancer’s core contracts and associated vaults. This watchlist is dynamic, automatically updating with each new vault created.
3. Vault Monitoring: Hypernative’s system automatically adds new vaults to the watchlist by monitoring transactions where new pools are added.
4. Emergency Pausing Mechanism: A function to pause all vaults is integrated into the system. For the demonstration, the Sepolia contract used was 0x4c2e985ccd0125afbd92d76b6738ec0afa01011b, and this functionality is connected to Balancer’s multisig, enabling centralized oversight and triggering during emergencies.
5. Scenario Simulation:

• Multiple vaults were deployed on the Sepolia testnet to simulate the operational environment.
• An event was triggered, simulating a hack or exploit targeting Balancer core contracts.
• Hypernative’s automated system detected the threat and initiated the pausing mechanism.

6. Outcome:

• All vaults on the watchlist were successfully paused in a timely manner, without requiring manual intervention.
• Transaction Hash for the successful pausing: 0xf9a2d8d30cf87c2df2e2b46f679873959db118200f6662a07423ac2ef4c8ec3e

7. Hypernative’s Role:

• Hypernative acted as a Keeper, with no privileges on the contracts beyond the ability to pause them.
• Hypernative Keeper Address: 0x3f2e8a2bf3237c3cb36d75e3ab8590c55e2d6f33

Technical Specification:

Balancer v2 emergency response - pausing CSPv6

Balancer wallets:

Deployed modules:

Ethereum: BalancerHelper | Address 0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56 | Etherscan
Arbitrum: https://arbiscan.io/address/0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56#code
Base: https://basescan.org/address/0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56#code
Optimism: BalancerHelper | Address 0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56 | OP Mainnet Etherscan
Polygon: BalancerHelper | Address 0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56 | PolygonScan
Avalanche: https://snowtrace.io/address/0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56#code
Mode: https://explorer-mode-mainnet-0.t.conduit.xyz:443/address/0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56#code
Gnosis: BalancerHelper | Address 0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56 | GnosisScan
Fraxtal: Fraxscan
zkEVM: BalancerHelper | Address 0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56 | Polygon zkEVM

Payloads:

• On Base: DAO emergency multisig 0x183C55A0dc7A7Da0f3581997e764D85Fd9E9f63a on Base will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On Ethereum: DAO emergency multisig 0xA29F61256e948F3FB707b4b3B138C5cCb9EF9888 on Ethereum will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On Polygon: DAO emergency multisig 0x3c58668054c299bE836a0bBB028Bee3aD4724846 on Polygon will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On Arbitrum: DAO emergency multisig 0xf404C5a0c02397f0908A3524fc5eb84e68Bbe60D on Arbitrum will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On Optimism: DAO emergency multisig 0xd4c87b33afcE39F1E3F4aF1ce8fFFF7241d9128B on Optimism will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On zkEVM: DAO emergency multisig 0x79b131498355daa2cC740936fcb9A7dF76A86223 on zkEVM will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On Avalanche: DAO emergency multisig 0x308f8d3536261C32c97D2f85ddc357f5cCdF33F0 on Avalanche will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On Gnosis: DAO emergency multisig 0xd6110A7756080a4e3BCF4e7EBBCA8E8aDFBC9962 on Gnosis will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On Mode: DAO emergency multisig 0x66C4b8Ba38a7B57495b7D0581f25784E629516c2 on Mode will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself
• On Fraxtal: DAO emergency multisig 0xC66d0Ba27b8309D27cCa70064dfb40b73DB6de9E on Fraxtal will call enableModule(0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56) on itself

Edit Maxis:

• Replace specifications with newly deployed module

We have been working with Hypernative for a while to test and deploy this important security integration. Excited to finally get this into production. This is the first of many more security enhancements for our protocol! In full support!

@adizepkowitz has this module been audited? could you share its repo?

because iiuc this allows for a 0x8456cb59 (pause()) call from the emergency multisig on any arbitrary contract, for which the addresses can be added by you. no real check is in place to confirm that the address added via module.addPool is indeed a pool for example?

https://snapshot.box/#/s:balancer.eth/proposal/0x6809b963e2bd2d5c0f2bf4756105d140587e5bc8b8088dc632fe252617d5f1d5

This BIP goal is excellent can we clarify the following points?

• Is there any proof Hypernative controls 0x3f2e8a2bf3237c3cb36d75e3ab8590c55e2d6f33 address ? it is a new address on all chains , not even founded.

• Why does the module need to be able to change the safe and vault address ? The less moving pieces the better.

Following Gosuto question, we weren’t able to find a potential way to leverage this behaviour, however, we changed the way pools are being added to the pools array, now the poolId should be specified and the pool address of the submitted poolId is retrieved from the Balancer Vault,
furthermore we have done an audit process with Quanstamp, here’s the report
as for 0xahtle7 concerns:

1. We can send the following message to ourself on mainnet: “This is Hypernative address to interact with the Balancer Emergency Module”

2. The only entity that is able to change the Safe address that the module is interacting with is the Balancer Emergency Safe, as it’s protected with the onlySafe modifier, furthermore the change won’t take affect if the new Multisig won’t explicitly call the enableModule(address module) specifying the module address to enable and ofc this call has to be signed under the requirement of the new Safe signers, the module isn’t able to change anything but the Balancer Safe has the permission to change the protected Safe address, in case Balancer are migrating to a new Safe i.e

Adding the link to the Quantstamp audit report:

https://drive.google.com/file/d/1sCFjybuedLjChbgbaNazoqqk26HFdGW4/view

confirming final audited version of BalancerHelper.sol at commit 621d615 matches deployed contract at 0xbaEa4E4A47a3b88e03C003DE6Baf8F5404DA9d56 (besides some changed comments)