- The Balancer exploit escalated from initial estimates of $70M to over $128M in losses.
- The likely cause was an access control failure in V2 that allowed unauthorized withdrawals.
- It affected several networks: Ethereum, Berachain, Arbitrum, Base, Sonic, Optimism, and Polygon.
- The protocol offered a 20% reward; the BAL token fell and Berachain experienced an emergency shutdown.
El decentralized finance protocol Balancer has registered one of its biggest security incidents till the date, with an attack that began being reported around 70 million and that, according to the most recent consolidated data, It would have easily exceeded 128 million in assets drained into new portfolios.
The committed funds include osETH, WETH and wstETHand they would have withdrawn mainly from pools of version V2The malicious activity spread across several networks, while the token BAL He suffered intraday falls and users awaited official confirmations about the true extent of the incident.
How the attack happened
Initial analyses point to a faulty access control in the manageUserBalance function of Balancer V2The vulnerability would originate in validateUserBalanceOp, by comparing incorrectly msg.sender with a op.sender provided by the user, which would have allowed unauthorized withdrawals through the operation UserBalanceOpKind.WITHDRAW_INTERNAL.
This vector opened the door for malicious actors to unleash internal balance movements directly from contracts without proper permissions. Vault of V2 —the central contract that holds the tokens of each pool— came into focus, affecting not only Balancer but also services built upon its architecture.
In parallel, the following were detected vault emptyings on networks like Sonic, Polygon and BaseThis reinforces the interconnected nature of the DeFi ecosystem. The operator's address It began to consolidate assets rapidly, increasing the risk of its subsequent obfuscation through mixers or bridges between chains.
Specialized security teams, including Decurity and on-chain data analysts, continue to track the flow of funds and the potential chain of transactions, with the aim of profiling the attacker and precisely defining the area of the breach.
Extent of damage and distribution by supply chains
The latest estimates raise the total drained to about $ 128,64 million, with a dominant weight of Ethereum and a significant impact on several L2 and compatible networks. It was also confirmed that Beets FinanceThe derivative project suffered losses exceeding 3 million.
- Ethereum: ~99,6M
- Reachain: ~12,86M
- Arbitration: ~6,96M
- Base: ~4,01M
- Sonic: ~3,44M
- Optimism: ~1,58M
- Polygon: ~ 232.350
Among the drained assets, the following stood out: 6.850 osETH, 6.590 WETH y 4.260 wstETH, transferred in rapid succession to new portfolios, a pattern consistent with an attacker knowledgeable about the logic of the contracts and the composition of the pools.
To incentivize the return of funds, the Balancer team put forward a 20% reward format white hatconditional upon the immediate restitution of the remaining capital. Otherwise, a warning was issued regarding collaboration with blockchain forensics and authorities to identify the person responsible.
The impact also extended to the infrastructure: Berachain executed a emergency arrest or with a hard fork aimed at limiting the impact on specific assets in its native DEX, with a commitment to resume the network after the recovery of the affected funds.
Protocol response and market effects
The team indicated that the pools V2 were affectedWhile V3 remained operational and without damage, and reported that its engineering and safety areas are investigating with priority to determine containment measures and potential recovery routes.
On the market front, the token BAL registry declines of more than 5% after the attack became known, in a context of widespread caution in the community DeFiOn-chain analysts recommended avoiding interacting with Balancer pools until complete technical information is available.
This incident adds to previous episodes: in 2020An attack exploited the handling of deflationary tokens for about $500.000; In August de 2023 losses of nearly 1 million due to a vulnerability in boosted pools; and that same year a DNS attack redirected to a website of Phishing, with an approximate loot of $238.000.
For users of Spain and the EUThe case reopens the debate on risk management in composite protocols and the need for agile audits, user protection tools and inter-protocol coordination, in line with the European regulatory drive (Mica) towards more demanding safety standards.
With losses already above 128 million And with an active investigation underway, the Balancer episode offers several lessons: the importance of robust access control in critical functions, the constant review of legacy contracts in V2and the preparation of coordinated responses—including the option of White Hat Rewards— to mitigate damage and restore trust.
I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.
If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.