$116 Million Lost: Balancer DeFi Protocol Hit by Catastrophic Exploit
Key Takeaways
- DEX and AMM platform Balancer has suffered an exploit on its main token vault, resulting in the attackers draining assets worth $116 million across Ether, Sonic, Polygon, and Base pools. The funds have since been moved to a newly created address.
- The exploit occurred on Balancer v2’s core smart contract, which had a faulty access control, allowing the hacker to send a command without any permissions to withdraw funds. 6,850 OSETH, 6,590 WETH, and 4,260 wSTETH have been drained so far, with other platforms deployed on Balancer’s smart contract at risk.
- Balancer has offered 20% of the stolen assets as a white hat bounty if the full amount is returned within 48 hours. The team is working with law enforcement and blockchain sleuths to identify the culprit.
Balancer, a popular Ethereum-based decentralized exchange (DEX) and automated market maker (AMM) platform, appears to have been hit by a major exploit, with more than $116 million in various digital assets being drained to a newly created wallet.
According to Etherscan data, the DeFi protocol was exploited for $70.9 million in various liquid-staked Ether, which was then transferred to a fresh wallet across three transactions.
The attack on Balancer V2 pools resulted in the transfer of 6,850 StakeWise Staked ETH (OSETH), 6,590 Wrapped Ether (WETH), and 4,260 Lido wstETH (wSTETH), blockchain intelligence firm Nansen said in a Monday X post. The exploit has also affected the DEX’s Sonic, Polygon, and Base pools, draining assets from them.
Balancer DEX Suffers $116 Million Hack as Core Smart Contract Controlling the Main Asset Vault was Targeted by Attackers
The Balancer team confirmed the attack on social media, stating that they are aware of the “potential exploit” that impacted Balancer v2 vaults, and their engineering and security teams are “investigating with high priority”.
On-chain analysts believe the exploit stemmed from smart contracts that had a faulty access control in their “manageUserBalance” function, allowing the attacker to send a command to withdraw funds. The vulnerability was a logic flaw in the contract’s “validateUserBalanceOp” operation, which checks “msg.sender” against a user-supplied “op.sender”, that enabled unauthorized fund withdrawals through the “UserBalanceOpKind.WITHDRAW_INTERNAL” operation.
To put it simply, this flaw meant the attacker could trigger internal balance withdrawals from Balancer’s smart contract without requiring proper permissions. What makes the issue even more striking is that the vault is Balancer’s core smart contract, where all tokens from every pool are held. Instead of each pool managing its own funds, the DEX routes all tokens through a single contract.
The design, launched with Balancer v2, separates token accounting from pool logic – how swaps, liquidity adds, and withdrawals work. This made pools comparatively smaller, simpler, and safer to build. Anyone could plug in a new pool design on the network without having to create a whole new DEX.
However, the exploit has also affected services built on top of Balancer v2, with fork DEXs like Beets Finance reporting a loss of over $3 million in various assets. According to DefiLlama, more than $60 million is locked on various DeFi services built atop Balancer, and the funds are at risk of being drained if the protocols have not adopted additional security measures to mitigate risks in case the main vault contract is exploited.
This is the Third Exploit in 5 Years to have Occurred on Balancer
This is also the third known security breach for the exchange, following similar incidents in 2021 and 2023, costing millions. The June 2021 attack saw Balancer hacked for $500,000 in Ether and other assets as part of a flash loan attack based on the Statera (STA) deflationary tokens, which saw 1% of every transaction automatically burned. Two years later, almost $1 million in stablecoin was stolen just a week after the protocol disclosed a “critical vulnerability” related to its liquidity pools.
The exploiter’s wallet address has already begun consolidating the stolen assets, raising concerns over laundering through token mixers or cross-chain bridges.
Balancer Offers 20% of Stolen Assets as Bounty if Hacker Returns the Funds Within 48 Hours
In an effort to recover the lost funds, the Balancer team is offering up to 20% of the stolen funds as a white hat bounty to the attacker if they return the full amount immediately. However, the exchange has warned that if the funds are not returned within the next 48 hours, then they will continue to work with blockchain forensics specialists and law enforcement agencies to identify the culprit.
A message included in an on-chain transaction note said that Balancer and its partners are “confident” that they will identify the attacker from access-log metadata collected by its infrastructure, which indicates connections from a “defined set” of IP addresses/ASNs and associated ingress timestamps that correlate with transaction activity.
BAL, the native token of Balancer, has slumped 4.73% in 24 hours to $0.9436.
Crypto & Blockchain Expert