Skip to main content

Overview

Hidden Balance Update vulnerabilities allow malicious contracts to modify token balances without proper authorization or transparency, enabling theft and manipulation.
Balance manipulation attacks are particularly dangerous because they can be difficult to detect - transactions appear normal while balances are secretly altered.

Types of Hidden Balance Updates

Direct Balance Manipulation

Modifying the balance mapping directly without proper mint/burn/transfer operations.
Risk: Balances can be changed arbitrarily without any record.

Conditional Balance Modification

Balance changes triggered by hidden conditions.
Risk: Conditions activate malicious behavior after initial scrutiny period.

Rebasing Without Events

Modifying balances through rebasing mechanics without proper events.
Risk: User balances change without any on-chain record.

Balance Override in View Functions

Returning incorrect balances in view functions.
Risk: Displayed balances don’t match actual holdings.

Safe Patterns

Transparent Balance Updates

Transparent Rebasing

Detection Tags

API Response Example

Red Flags

  • Direct writes to _balances mapping outside standard functions
  • Missing Transfer events on balance changes
  • Conditional logic that modifies balances
  • balanceOf returning different values than stored
  • Time-delayed balance modification logic