Balancer Hit By Exploit As $128M Moved From Vaults

Decentralized finance (DeFi) protocol Balancer has lost $128 million after suffering a malicious exploit. On-chain data shows over $128 million in assets withdrawn from the protocol’s vaults

The stolen funds include osETH, WETH, and wstETH, with the exploiter consolidating the stolen assets, raising concerns about laundering

Balancer Hit By Exploit

Balancer, a prominent decentralized finance (DeFi) protocol, has been hit by a major exploit, with on-chain data showing that over $128 million in assets have been moved to a new wallet. According to blockchain data, the stolen funds include 6,850 osETH, 6,590 WETH, and 4,260 wstETH, with the hack affecting vaults on Balancer v2. The Protocol’s v2 vaults act as its central liquidity engine, aggregating tokens and facilitating trade between liquidity pools. The Balancer team acknowledged the hack on X, stating,

“We’re aware of a potential exploit impacting Balancer v2 pools. Our engineering and security teams are investigating with high priority. We’ll share verified updates and next steps as soon as we have more information.”

Vaults across Sonic, Polygon, and Base have also been impacted

Mikko Ohtamaa, co-founder and CEO of Trading Strategy, noted that preliminary analysis of the attack indicates a faulty smart contract as the primary cause of the attack. He added that while not all Balancer versions were affected, losses could be higher if older v2 forks share the same vulnerability used by the attacker. Security firm PeckShield stated that the attack is still ongoing across multiple chains on which Balancer is deployed

How The Attack Unfolded

According to security firm Decurity, the attack occurred due to a faulty access control in Balancer’s “manageUserBalance” function. The vulnerability was in the ValidateUserBalanceOp, which checks msg.sender against a user-supplied op.sender, a logic flaw that allows unauthorized withdrawals through the UserBalanceOpKind.WITHDRAW_INTERNAL operation

In simpler terms, the vulnerability allowed the attackers to trigger internal balance withdrawals from Balancer’s smart contracts without the requisite permissions

“manageUserBalance in Balancer has a faulty access check In _validateUserBalanceOp it checks msg.sender against user-supplied op.sender. It allows the execution of UserBalanceOpKind.WITHDRAW_INTERNAL (kind = 1).”

On-chain security experts have highlighted that the attacker’s address has already begun consolidating the assets, raising concerns that they are preparing to launder the funds through decentralized mixers

A Third Exploit

Balancer is a decentralized platform built on Ethereum that allows users to trade tokens and provide liquidity using its self-balancing pools. The protocol has been active since 2020 and holds over $350 million in TVL on Ethereum alone. The latest incident is the third known security breach for Balancer. The platform previously suffered exploits in 2021 and 2023, losing millions. On-chain experts stated that the vault is Balancer’s primary smart contract, holding tokens from every Balancer pool

The design was introduced in Balancer v2 and separates token accounting from pool logic, making pools smaller, simpler, and safer to build. This approach allowed anyone to plug in a new pool design without creating a new DEX.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.