Market Maker Balancer Compromised: Key Facts Behind The $128 Million Hack

The decentralized finance (DeFi) protocol and market maker Balancer recently suffered a significant exploit, resulting in the loss of over $120 million in digital assets.

According to blockchain security firms, the total losses have now reached approximately $128 million, with ongoing withdrawals from the attacker’s wallet still being reported.

Details Of Balancer Attack

In a post on social media platform X (previously Twitter), Balancer acknowledged the exploit, stating that its engineering and security teams were investigating the breach with high priority. They added:

The company’s Chief Executive, Deddy Lavid, explained that the ongoing drain of funds likely results from compromised access control mechanisms within the protocol, which allowed the attackers to manipulate balances directly.

Market expert Adi Flips provided further insights into the exploit, detailing how the attack targeted Balancer’s V2 vaults and liquidity pools by exploiting vulnerabilities in the interactions of smart contracts. 

Preliminary investigations indicate that the exploit involved a maliciously deployed contract that manipulated vault calls during the initialization of pools. This manipulation was made possible due to improper authorization and callback handling, which allowed the attacker to circumvent existing safeguards. 

As a result, unauthorized swaps and balance manipulations occurred across interconnected pools, enabling the rapid drainage of assets within minutes.

The attack was initiated with a pivotal transaction on the Ethereum (ETH) mainnet, which directed assets to a new wallet controlled by the perpetrator. Following this, the stolen funds were consolidated, likely for laundering through mixers or bridges.

Stolen Assets Breakdown

The design of Balancer’s protocol, which allows for heavy interaction among its pools, exacerbated the impact of the exploit, according to Adi Flips’ analysis. 

He stated that similar vulnerabilities have been observed in automated market makers (AMMs) in the past, often linked to how they handle deflationary tokens or manage pool rebalancing.

Importantly, there is currently no evidence suggesting that a private key was compromised. The expert noted that this incident appears to be a pure smart contract exploit.

The breakdown of the stolen assets includes over $70 million in Ethereum, with additional losses of around $7 million from Base and Sonic combined, and approximately $2 million from other chains. 

According to ongoing investigations, the estimated total theft of the main assets, including wrapped Ethereum (WETH), staked Ethereum (wstETH), osETH, frxETH, rsETH, and rETH, is between $116 million and $128 million.

Featured image from DALL-E, chart from TradingView.com