Old DeFi Protocol Falls: Balancer V2 Contract Vulnerability, Over $110 Million Assets Stolen

Author: Wenser, Odaily Planet Daily

On November 3rd, the veteran DeFi protocol Balancer was reported to have over $70 million in assets stolen. Subsequently, this news was confirmed by multiple sources, and the amount of stolen funds continued to rise. As of the time of writing, the stolen assets from Balancer have increased to over $116 million. Odaily Planet Daily provides a brief analysis of this incident in this article.

Details of the Balancer theft: Losses exceeding $116 million, mainly due to V2 pool smart contract vulnerabilities

According to on-chain information, the attacker has now stolen assets totaling over $116 million, including WETH, wstETH, osETH, frxETH, rsETH, and rETH, distributed across multiple chains such as ETH, Base, and Sonic. Specifically:

· Assets stolen on the Ethereum chain: approximately $100 million;

· Assets stolen on Arbitrum: nearly $8 million;

· Assets stolen on Base: close to $3.95 million;

· Assets stolen on Sonic: over $3.4 million;

· Assets stolen on Optimism: nearly $1.57 million;

· Assets stolen on Polygon: around $230,000.

Crypto influencer Adi posted that preliminary investigations indicate the attack mainly targeted Balancer’s V2 vaults and liquidity pools, exploiting vulnerabilities in smart contract interactions. On-chain investigators pointed out that a maliciously deployed contract manipulated Vault calls during pool initialization. Incorrect authorization and callback handling allowed the attacker to bypass protections, enabling unauthorized swaps or balance manipulations between interconnected liquidity pools, resulting in rapid asset theft within minutes.

Based on current information, there is no evidence of private key leaks; this appears to be a purely smart contract vulnerability.

Auditing firm Kebabsec and developer @okkothejawa from Citrea also stated, “(The check error mentioned by @moo9000) may not be the root cause, because in all ‘manageUserBalance’ calls, ops.sender == msg.sender. The security flaw might have occurred in transactions before the creation of the contract that manages asset withdrawals, as this led to some state changes in the Balancer vault.”

Balancer officials responded publicly: “The official team is aware of a potential vulnerability affecting Balancer V2 pools. Our engineering and security teams are prioritizing investigations. Once more information is available, we will share verified updates and next steps immediately.”

Berachain, which faces potential asset loss, also responded promptly. After the incident, Berachain Foundation announced that Smokey The Bera, the founder of Berachain, stated, “The Bera Node team has proactively paused the mainnet to prevent impact on BEX (mainly USDe pools) due to the Balancer vulnerability.

· Disabling Bera bridging by the Ethena team

· Pausing USDe deposits in the lending market

· Halting HONEY token minting and swaps

· Communicating with CEXs to ensure hacker addresses are blacklisted

Our goal is to recover funds as soon as possible and ensure the safety of all LPs. The Berachain team will release binary files to relevant node validators and service providers once ready (since the pool involves non-native assets, it requires some slot restructuring, not just token balance modifications).”

Details of the Balancer attacker on-chain information:

Balancer stolen assets, the most concerned are crypto whales

As a veteran DeFi protocol, Balancer users are undoubtedly the most directly affected by this theft. For current users, actions include:

· Withdrawing funds from Balancer V2 pools to prevent further losses;

· Revoking approvals: using Revoke, DeBank, or Etherscan to cancel smart contract permissions for Balancer addresses to avoid potential security risks;

· Staying alert: closely monitoring the attacker’s next moves and whether there will be a ripple effect on other DeFi protocols.

Additionally, a crypto whale that had been dormant for three years has attracted market attention during this incident.

According to LookonChain monitoring, a dormant whale address 0x0090 just woke up after the Balancer vulnerability was exploited, rushing to withdraw about $6.5 million worth of assets from Balancer. On-chain information can be viewed here:

Follow-up: Hacker begins token swap mode

On-chain analyst Yu Yan (Ember) observed that the hacker involved in the Balancer theft has started attempting to swap various liquidity-staked tokens (LST) for ETH. Previously, the hacker exchanged 10 osETH for 10.55 ETH.

On-chain data shows that the hacker is continuously swapping stolen assets across multiple chains into ETH, USDC, and other assets via Cow Protocol. Currently, the chances of recovering these stolen assets seem slim.

Moving forward, whether Balancer can promptly identify the protocol contract vulnerability and recover the stolen assets or provide a corresponding solution will be closely followed by Odaily Planet Daily.