[BIP-XXX] Enable Composable Stable Pool Pause functionality to Hypernative

PR with Payload

HYPERNATIVE – Balancer V2 Protocol

Version: 1.0

Updated: 20 January 2025

Summary

We propose to be given the authority to pause composable stable pools for Balancer v2, by installing a safe module to the Emergency SubDAO multi-sig to allow for quick threat mitigation and securing of funds in case of a security incident with Balancer.

Motivation

Given that composable stable pools on Balancer hold a significant amount of TVL, it is crucial to improve security measures. One of these measures is the possibility to pause a specific pool type. Upon pausing, it is not possible to trade in a pool but proportional withdrawals are still possible. By installing a safe module managed by Hypernative’s real-time monitoring platform will enhance the resiliency and security of the protocol and augment the team’s security operations while minimizing the risk of hacks and exploits, loss of funds and prevent catastrophic loss to create long-term sustainable growth.

Specification

The Balancer Emergency subDAO Safe on each network will install a safe Module to enable Hypernative to pause pools. A Module is a smart contract that executes a predefined set of instructions on behalf of the Safe address, pre-approved by the Safe signers, and capable of executing these instructions automatically. In this case, the instruction is to call the pause method for each Balancer pool. The module is attached via the Safe’s enableModule function.

The Safe Module is triggered by hacks or exploits detected in Balancer’s contracts by the Hypernative system. Hypernative scans blockchains in real-time and detects hacks & exploits using its machine learning model, from the moment of a deployed malicious smart contract targeting Balancer’s contracts to executing malicious transactions.

The list of pools is automatically updated whenever the PoolRegistered event is emitted on-chain, though the Balancer team can override this list if necessary.

Enabling the Safe Module: Sepolia Transaction Hash (Txhash) Details | Etherscan

Currently deployed Balancer pools:
https://dune.com/queries/4080393

Only CSPv6 pools are pausable, currently deployed on:

  • Ethereum
  • Base
  • Optimism
  • Polygon
  • Gnosis
  • Arbitrum
  • Avalanche
  • zkEVM

Corresponding modules will be configured on the above chains

Payload:

Function: execTransaction(address to, uint256 value, bytes data, uint8 operation, uint256 safeTxGas, uint256 baseGas, uint256 gasPrice, address gasToken, address refundReceiver, bytes signatures) ***

MethodID: 0x6a761202

Risk Assessment and Testing

Before coming forward with this proposal, a rigorous internal test has been conducted.

Key Components of the Test:

  1. Test Environment: The test was conducted on the Sepolia testnet to simulate a scenario where Balancer core contracts are compromised, requiring an emergency response to pause vaults.
  2. Watchlist Creation: Hypernative created a watchlist to monitor for hacks and exploits targeting Balancer’s core contracts and associated vaults. This watchlist is dynamic, automatically updating with each new vault created.
  3. Vault Monitoring: Hypernative’s system automatically adds new vaults to the watchlist by monitoring transactions where new pools are added.
  4. Emergency Pausing Mechanism: A function to pause all vaults is integrated into the system. For the demonstration, the Sepolia contract used was 0x4c2e985ccd0125afbd92d76b6738ec0afa01011b, and this functionality is connected to Balancer’s multisig, enabling centralized oversight and triggering during emergencies.
  5. Scenario Simulation:
  • Multiple vaults were deployed on the Sepolia testnet to simulate the operational environment.
  • An event was triggered, simulating a hack or exploit targeting Balancer core contracts.
  • Hypernative’s automated system detected the threat and initiated the pausing mechanism.
  1. Outcome:
  • All vaults on the watchlist were successfully paused in a timely manner, without requiring manual intervention.
  • Transaction Hash for the successful pausing: 0xf9a2d8d30cf87c2df2e2b46f679873959db118200f6662a07423ac2ef4c8ec3e
  1. Hypernative’s Role:
  • Hypernative acted as a Keeper, with no privileges on the contracts beyond the ability to pause them.
  • Hypernative Keeper Address: 0x3f2e8a2bf3237c3cb36d75e3ab8590c55e2d6f33

Technical Specification:

Balancer v2 emergency response - pausing CSPv6

Balancer wallets:

Deployed modules:

Base:

https://basescan.org/address/0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6#code

Ethereum: BalancerHelper | Address 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6 | Etherscan

Polygon: BalancerHelper | Address 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6 | PolygonScan

Optimism: BalancerHelper | Address 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6 | OP Mainnet Etherscan

Arbitrum: https://arbiscan.io/address/0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6#code

Avalanche: https://snowtrace.io/address/0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6/contract/43114/code

Gnosis: BalancerHelper | Address 0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6 | GnosisScan

Mode: Mode address details for 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6 | Blockscout

Fraxtal: BalancerHelper | Address 0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6 | Fraxscan

zkEVM: BalancerHelper | Address 0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6 | Polygon zkEVM

Chain Emergency wallet Module
Ethereum 0xA29F61256e948F3FB707b4b3B138C5cCb9EF9888 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6
Polygon 0x3c58668054c299bE836a0bBB028Bee3aD4724846 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6
Arbitrum 0xf404C5a0c02397f0908A3524fc5eb84e68Bbe60D 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6
Optimism 0xd4c87b33afcE39F1E3F4aF1ce8fFFF7241d9128B 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6
zkEVM 0x79b131498355daa2cC740936fcb9A7dF76A86223 0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6
Avalanche 0x308f8d3536261C32c97D2f85ddc357f5cCdF33F0 0x5Afa3071Fa5D3d54EeE878Ee8Bc41e9A768072B6
Gnosis 0xd6110A7756080a4e3BCF4e7EBBCA8E8aDFBC9962 0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6
Base 0x183C55A0dc7A7Da0f3581997e764D85Fd9E9f63a 0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6
Mode 0x66C4b8Ba38a7B57495b7D0581f25784E629516c2 0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6
Fraxtal 0xC66d0Ba27b8309D27cCa70064dfb40b73DB6de9E 0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6

Payloads:

  • On Base: DAO emergency multisig 0x183C55A0dc7A7Da0f3581997e764D85Fd9E9f63a on Base will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On Ethereum: DAO emergency multisig 0xA29F61256e948F3FB707b4b3B138C5cCb9EF9888 on Ethereum will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On Polygon: DAO emergency multisig 0x3c58668054c299bE836a0bBB028Bee3aD4724846 on Polygon will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On Arbitrum: DAO emergency multisig 0xf404C5a0c02397f0908A3524fc5eb84e68Bbe60D on Arbitrum will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On Optimism: DAO emergency multisig 0xd4c87b33afcE39F1E3F4aF1ce8fFFF7241d9128B on Optimism will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On zkEVM: DAO emergency multisig 0x79b131498355daa2cC740936fcb9A7dF76A86223 on zkEVM will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On Avalanche: DAO emergency multisig 0x308f8d3536261C32c97D2f85ddc357f5cCdF33F0 on Avalanche will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On Gnosis: DAO emergency multisig 0xd6110A7756080a4e3BCF4e7EBBCA8E8aDFBC9962 on Gnosis will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On Mode: DAO emergency multisig 0x66C4b8Ba38a7B57495b7D0581f25784E629516c2 on Mode will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
  • On Fraxtal: DAO emergency multisig 0xC66d0Ba27b8309D27cCa70064dfb40b73DB6de9E on Fraxtal will call enableModule(0x5afa3071fa5d3d54eee878ee8bc41e9a768072b6) on itself
4 Likes

We have been working with Hypernative for a while to test and deploy this important security integration. Excited to finally get this into production. This is the first of many more security enhancements for our protocol! In full support!

2 Likes

@adizepkowitz has this module been audited? could you share its repo?

2 Likes

because iiuc this allows for a 0x8456cb59 (pause()) call from the emergency multisig on any arbitrary contract, for which the addresses can be added by you. no real check is in place to confirm that the address added via module.addPool is indeed a pool for example?

2 Likes