Key Takeaways:
- Balancer has released a preliminary post-mortem report on the $116 million exploit that occurred on its platform earlier this week. The team attributed the hack to a value rounding flaw in its swap logic, which the attacker used to manipulate pool balances and drain funds.
- The exploit has also affected Balancer’s ecosystem partners and forks, including Berachain, Gnosis, StakeWise, Monetium, and Sonic, who have since taken emergency measures to protect funds.
- Approximately $23.05 million of the stolen assets have been recovered or frozen on-chain. Balancer has paused all activity on its v2 Stable Pools and v5 Composable Stable Pools until the bug is fixed.
Decentralized finance (DeFi) protocol Balancer has published a preliminary report detailing the cause of the exploit on its multi-chain token pools that resulted in hackers siphoning $116 million in liquid staked Ether (ETH) tokens.
The automated market maker (AMM) and liquidity platform suffered a massive outflow from its core vault on November 3, which targeted the Balancer v2 Stable Pools and Composable Stable (CSP) v5 Pools across Ethereum, Base, Avalanche, Arbitrum, Optimism, Gnosis, Polygon, Berachain, and Sonic blockchains.
Initial estimates showed losses of $70 million, which quickly rose to over $128 million within a few hours.
Rounding Error in the BatchSwap Feature of Stable Pools: the Root Cause of $116 Million Balancer v2 Exploit
In the preliminary report, Balancer attributed the hack to a rounding error in the upscale function for “EXACT_OUT” swaps within the v2 vault’s BatchSwaps feature – a function that allowed users to combine multiple swap operations into a single transaction to save on gas fees.
The rounding function intends to round down when token prices are an input, but a bug in the system resulted in non-integer scaling factors to round down during specific calculations, which created small discrepancies. The hacker exploited the bug in conjunction with the BatchSwap feature, including flashloans – short-term loans borrowed and repaid within the same transaction – to manipulate balances and drain funds from the Stable Pools.
This resulted in liquidity falling below Balancer’s minimum threshold.
The report stated that in many instances, the stolen funds were first redirected into the Balancer vault’s internal balances before being withdrawn in subsequent transactions. The bug primarily affected CSP v5 pools with expired pause windows, while automated emergency controls on the v6 mode transitioned it into recovery mode during the hack.
The team said the attack spanned across several Balancer-supported blockchains and forks, including BEX on Berachain, Beets on Sonic, and Gnosis-based platforms. However, the partner ecosystems implemented emergency protocols to contain further fallout.
The hackers involved were highly skilled and had been preparing for months before executing their attack. They used a series of 0.1 ETH deposits on the token mixer platform Tornado Cash to fund the attack and avoid detection.
Balancer’s Security and Strategic Partners and White Hats Have Recovered $23.05 Million in Stolen Assets
Balancer worked with its cybersecurity partner Hypernative and other crypto protocols, including SEAL 911, BitFinding, and StakeWise, to recover or freeze a portion of the stolen funds. The StakeWise DAO managed to recover 5,041 osETH and 13,495 osGNO tokens, valued at approximately $19 million and up to $2 million, respectively.
Meanwhile, validators on Berachain halted the network on November 4 to perform an emergency hard fork to address BEX’s exposure to Balancer v2. Sonic Labs froze addresses linked to the suspect, restricting the movement of funds tied to its Balancer fork. Gnosis temporarily restricted token bridging activity to prevent any cross-chain propagation. Monetium froze 1.3 million EURe tokens in the affected vault.
BitFinding and Base MEV bots managed to recover about $750,000 worth of funds, returning them to the Balancer DAO.
Balancer has paused all affected pools and disabled the creation of new pools on CSP v6 until the security issue is fixed. Furthermore, the team has enabled liquidity pool exits from paused pools to allow safe withdrawal of remaining funds. The protocol implemented a Safe Harbor legal framework (BIP-726) last year, which allowed white hat teams to intervene immediately without any legal repercussions. The report noted that this structure “materially improved” its response speed and coordination.
Balancer has offered a 20% white hat bounty to the perpetrator of the attack and ethical hackers for the safe return of the stolen funds, but so far, no one has come forward to claim the reward. The team has stated that a final verified accounting of the recovered and frozen funds will be published once partners complete on-chain reconciliation.
Also Read: Balancer DeFi Protocol Suffered $128M Hack and Recovered $19.3M After Hours