Decentralized finance (DeFi) protocol Balancer, which manages over $750 million in value locked, has reportedly suffered its largest exploit to date.
With blockchain data showing more than $110 million in digital assets moved to a new wallet. The affected funds include 6,850 osETH, 6,590 WETH, and 4,260 wstETH, and appear to involve multiple Balancer version 2 (V2) vaults.
Further analysis indicates that vaults across Sonic, Polygon, and Base networks were also impacted.
How the attack occurred
Security researchers at Decurity identified a vulnerability in Balancer’s “manageUserBalance” function. The flaw originates in the validateUserBalanceOp logic, which compares msg.sender against a user-supplied op.sender. This misalignment allowed unauthorized actors to execute withdrawals using the UserBalanceOpKind.WITHDRAW_INTERNAL operation.
In practice, attackers could trigger internal balance withdrawals from Balancer’s smart contracts without proper permissions. Blockchain data shows the exploiter has already begun consolidating assets, raising concerns that funds may be laundered through decentralized mixers or cross-chain bridges.
Impact on tokens and community
Following the incident, Balancer’s BAL token fell more than 5% from its Monday peak. The team has not yet issued an official statement. This marks Balancer’s third known security breach, following prior incidents in 2021 and 2023 that collectively cost millions of dollars.
The exploit also affected services built atop Balancer V2. For example, Beets Finance, a fork project, confirmed losses exceeding $3 million. Data from DefiLlama shows that over $60 million remains locked in protocols relying on Balancer V2, potentially exposing them to additional risk if security measures are insufficient.
Understanding balancer V2’s vault design
Balancer V2 introduced a centralized vault system, where all tokens from every pool are held in a single smart contract rather than being managed separately by each pool. This design separates token accounting from pool logic (swap execution, liquidity additions, and withdrawals), allowing new pools to be deployed without creating entirely new DEX contracts.
While the architecture simplifies development and reduces operational complexity, this exploit demonstrates a critical downside: if the core vault is compromised, all dependent pools and protocols are exposed.
Previous
Balancer’s latest exploit is part of a troubling pattern in the DeFi space, where smart contract vulnerabilities continue to plague major liquidity platforms. As attacks increase, users are urged to remain vigilant and consider withdrawing funds from compromised protocols until further security measures are confirmed.
This exploit adds to a growing list of security incidents for Balancer:
- August 2023: $870K exploit after a protocol vulnerability was disclosed.
- September 2023: DNS hijacking attack, resulting in $238K in losses.
- June 2020: A $500K flash loan attack exploiting the Statera (STA) token pool.
On-chain data has flagged $70.9 million in staked Ether (ETH) transferred from Balancer-related wallets to a new wallet. Blockchain analytics platforms like Nansen suggest the total loss could rise to $84 million with cross-chain transactions.
The stolen funds include osETH, WETH, and wstETH, further highlighting ongoing security vulnerabilities in DeFi protocols. As of now, Balancer has not issued an official statement.
Tanya Petrusenko
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
