Balancer Hit By Exploit As $128M Moved From Vaults

Decentralized finance (DeFi) protocol Balancer has lost $128 million after suffering a malicious exploit. On-chain data shows over $128 million in assets withdrawn from the protocol’s vaults. 

The stolen funds include osETH, WETH, and wstETH, with the exploiter consolidating the stolen assets, raising concerns about laundering. 

Balancer Hit By Exploit 

Balancer, a prominent decentralized finance (DeFi) protocol, has been hit by a major exploit, with on-chain data showing that over $128 million in assets have been moved to a new wallet. According to blockchain data, the stolen funds include 6,850 osETH, 6,590 WETH, and 4,260 wstETH, with the hack affecting vaults on Balancer v2. The Protocol’s v2 vaults act as its central liquidity engine, aggregating tokens and facilitating trade between liquidity pools. The Balancer team acknowledged the hack on X, stating, 

Vaults across Sonic, Polygon, and Base have also been impacted. 

Mikko Ohtamaa, co-founder and CEO of Trading Strategy, noted that preliminary analysis of the attack indicates a faulty smart contract as the primary cause of the attack. He added that while not all Balancer versions were affected, losses could be higher if older v2 forks share the same vulnerability used by the attacker. Security firm PeckShield stated that the attack is still ongoing across multiple chains on which Balancer is deployed. 

How The Attack Unfolded 

According to security firm Decurity, the attack occurred due to a faulty access control in Balancer’s “manageUserBalance” function. The vulnerability was in the ValidateUserBalanceOp, which checks msg.sender against a user-supplied op.sender, a logic flaw that allows unauthorized withdrawals through the UserBalanceOpKind.WITHDRAW_INTERNAL operation. 

In simpler terms, the vulnerability allowed the attackers to trigger internal balance withdrawals from Balancer’s smart contracts without the requisite permissions. 

On-chain security experts have highlighted that the attacker’s address has already begun consolidating the assets, raising concerns that they are preparing to launder the funds through decentralized mixers. 

A Third Exploit 

Balancer is a decentralized platform built on Ethereum that allows users to trade tokens and provide liquidity using its self-balancing pools. The protocol has been active since 2020 and holds over $350 million in TVL on Ethereum alone. The latest incident is the third known security breach for Balancer. The platform previously suffered exploits in 2021 and 2023, losing millions. On-chain experts stated that the vault is Balancer’s primary smart contract, holding tokens from every Balancer pool. 

The design was introduced in Balancer v2 and separates token accounting from pool logic, making pools smaller, simpler, and safer to build. This approach allowed anyone to plug in a new pool design without creating a new DEX.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.