Overview
Hidden Balance Update vulnerabilities allow malicious contracts to modify token balances without proper authorization or transparency, enabling theft and manipulation.
Balance manipulation attacks are particularly dangerous because they can be difficult to detect - transactions appear normal while balances are secretly altered.
Types of Hidden Balance Updates
Direct Balance Manipulation
Modifying the balance mapping directly without proper mint/burn/transfer operations.
Risk: Balances can be changed arbitrarily without any record.
Conditional Balance Modification
Balance changes triggered by hidden conditions.
Risk: Conditions activate malicious behavior after initial scrutiny period.
Rebasing Without Events
Modifying balances through rebasing mechanics without proper events.
Risk: User balances change without any on-chain record.
Balance Override in View Functions
Returning incorrect balances in view functions.
Risk: Displayed balances don’t match actual holdings.
Safe Patterns
Transparent Balance Updates
Transparent Rebasing
API Response Example
Red Flags