Balancer Faces Major Exploit Resulting in $116 Million Loss
Balancer, a prominent decentralized finance (DeFi) platform, suffered a significant exploit that drained over $116 million across multiple blockchains. The attack began with approximately $70 million stolen but escalated as the attacker moved funds between chains and converted assets to Ethereum (ETH) within an hour. Balancer, once considered highly reliable, has now joined other DeFi platforms experiencing complex smart contract hacks.
Blockchain analytics firm Lookonchain reported the hacker quickly exchanged stolen tokens for ETH. The theft mainly targeted wrapped ETH (WETH) and staked derivatives such as osETH and wstETH. Activity slowed only after the total stolen amount reached $116.6 million.
Details of the Balancer V2 Pool Vulnerability
Balancer confirmed the incident on X (formerly Twitter), citing a “potential exploit impacting Balancer v2 pools.” The team said their engineers and security experts were investigating the issue with high priority and promised updates once verified.
On-chain analyst Adi explained the exploit involved “improper authorization and callback handling,” which let the attacker bypass safeguards. This flaw allowed unauthorized swaps and balance manipulations across interconnected pools. Balancer’s composable design worsened the problem, enabling rapid asset drainage.
Lookonchain data showed the attacker moved about 6,587 WETH worth $24.46 million, 6,851 osETH valued at $26.86 million, and 4,260 wstETH equal to $19.27 million. Arkham reports the hacker’s on-chain portfolio is now near $90.5 million, reflecting a 6.6% loss over 24 hours due to broader market declines.
StakeWise Recovers Majority of Stolen Tokens
Ethereum staking protocol StakeWise recovered a large portion of stolen tokens. Their emergency multisig executed transactions retrieving approximately 5,041 osETH (~$19 million) and 13,495 osGNO (~$1.7 million). This represents 73.5% of the stolen osETH. StakeWise announced they will return these funds to affected users on a pro-rata basis.
StakeWise’s recovery helped ease concerns over a potential flood of ETH into the market. Analysts say the move could stabilize ETH’s short-term price. On Tuesday, ETH traded near $3,500, down 23% from the previous day.
Balancer’s Decline and Security Concerns
Data from DeFiLlama shows Balancer’s total value locked (TVL) has dropped to approximately $355.68 million. This is a sharp decline from its $3 billion peak in 2021, reflecting ongoing withdrawals after several security issues. Despite this, Balancer processed around $2.81 billion in trading volume last month and generated about $10.7 million in yearly revenue.
Crypto commentator Haseeb noted different blockchain responses to the hack. He said, “Berachain had validators halt the network. Polygon validators censored hacker transactions. Sonic added functionality to freeze and zero out the hacker’s account.” He emphasized that smaller ecosystems must prioritize safety and community protection over strict “code is law” principles.
Audit Gaps Highlight Balancer’s Weaknesses
Balancer has not undergone a major audit since 2022. It offers a bug bounty on Immunefi with rewards up to 1,000 ETH for critical smart contract vulnerabilities but excludes front-end issues. Previous audits from Certora, OpenZeppelin, and Trail of Bits are publicly available, though immutable contracts make fixes difficult without redeployment.
In October 2022, Balancer launched the Certora Security Accelerator, providing verification tools and $10,000 in credits to support project security. However, this recent exploit underscores the need for ongoing audits and stronger protections for user funds.
Implications and Future Challenges
The Balancer hack illustrates how even established DeFi platforms remain vulnerable. Their interconnected pools and token systems increase both power and risk. Flaws can be exploited despite audits, with hackers quickly moving stolen funds across chains. This rapid action limits response and recovery options.
Balancer now faces the challenge of regaining user trust through transparency and enhanced security. While StakeWise’s recovery provides some relief, rebuilding confidence will require long-term efforts, not quick fixes.
