From Balancer to Berachain, when the chain is pressed the pause button.

CN
深潮TechFlow
Follow
6 hours ago

The contradiction between DeFi security and decentralization exposed by a single vulnerability.

Written by: ChandlerZ, Foresight News

The DeFi world has once again found itself in the eye of a storm.

On November 3, multiple projects based on the Balancer V2 architecture suffered a meticulously designed attack, with total losses exceeding $120 million. This incident not only affected the Ethereum mainnet but also spread to multiple chains such as Arbitrum, Sonic, and Berachain, becoming another security incident that shook the entire industry following the Euler Finance and Curve Finance events.

BlockSec's preliminary analysis indicates that this was a "high-complexity price manipulation attack," where the core of the attack involved the attacker distorting the price calculation logic of BPT (Balancer Pool Token), exploiting rounding errors in the invariant to create price distortions, and repeatedly arbitraging in a single batch exchange.

Taking the attack transaction on Arbitrum as an example, the attack unfolded in three stages:

  • The attacker first exchanged BPT for the underlying asset, precisely adjusting the cbETH balance to the rounding boundary (approximately 9), creating conditions for subsequent precision loss;

  • Next, a specific amount (=8) was exchanged between another underlying asset, wstETH, and cbETH. Due to rounding down during scaling, the calculated Δx slightly decreased, leading to an underestimation of Δy, which caused the stable pool invariant D to shrink, thereby lowering the theoretical price of BPT;

  • Finally, the attacker reversed the exchange of the underlying asset back to BPT, profiting from the depressed price.

In short, this was a precision strike based on the boundaries of mathematics and code.

Balancer officially confirmed that the V2 Composable Stable Pools were subject to a vulnerability attack. The team is currently collaborating with top security researchers to investigate and has promised to share a complete post-incident analysis report as soon as possible. All affected pools that could be paused have been urgently frozen and entered recovery mode. The vulnerability only affects V2 Composable Stable Pools and does not impact Balancer V3 or other pool types.

Following the outbreak of the Balancer V2 vulnerability incident, projects that forked Balancer experienced severe turbulence. According to DeFiLlama data, as of November 4, the total locked value of related projects was only about $49.34 million, a single-day drop of 22.88%. Among them, BEX, as Berachain's native DEX, saw its TVL drop by 26.4% to $40.27 million, still accounting for 81.6% of the entire ecosystem, but due to on-chain downtime and liquidity freeze, capital outflow continued. Another victim, Beets DEX, performed even worse, with a 24-hour TVL plummeting by 75.85%, and a cumulative drop of nearly 79% over the past 7 days.

In addition to the aforementioned protocols, other DEXs based on the Balancer architecture also experienced panic withdrawals. PHUX dropped 26.8% in one day, Jellyverse fell 15.5%, and Gaming DEX collapsed by 89.3%, with liquidity nearly wiped out. Even smaller projects that were not directly affected, such as KLEX Finance, Value Liquid, and Sobal, generally recorded capital outflows of 5%–20%.

Chain reaction begins to show, Berachain urgently conducts a hard fork

This vulnerability originating from Balancer V2 quickly triggered a larger chain reaction.

The emerging public chain Berachain, built on the Cosmos SDK, was also attacked by hackers within hours due to BEX adopting the same Balancer V2 contract architecture. The foundation quickly announced a "full chain shutdown" upon discovering the anomaly.

It is reported that the liquidity pool assets of BEX's USDe Tripool were threatened, with affected funds amounting to approximately $12 million. The attacker exploited the same logical vulnerability as Balancer, stealing funds through multiple smart contract interactions. Since some assets were non-native tokens, the team had to roll back certain blocks through a hard fork to complete recovery and tracking.

At the same time, several protocols within the Berachain ecosystem, including Ethena, Relay, and HONEY, also took defensive measures:

  • Prohibiting USDe cross-chain transfers;

  • Suspending deposits related to the lending market;

  • Stopping the minting and redemption of HONEY;

  • Notifying centralized exchanges of suspicious addresses on the blacklist.

The Berachain foundation stated that the suspension of the Berachain network was planned, and the network would resume normal operations shortly. The Balancer vulnerability primarily affected the Ethena/Honey three pools, caused by relatively complex smart contract transactions. Since the vulnerability affected non-native assets (not just BERA), the rollback/forward process was not simply a straightforward hard fork, so the network would be paused to complete a comprehensive solution until the final resolution was determined.

On November 4, the Berachain foundation announced that the hard fork binary files had been distributed, and some validator nodes had been upgraded. Before going back online and generating blocks again, they hoped to ensure that the core infrastructure partners required for on-chain operations (such as liquidation oracles) had updated their RPCs, as these would be the main obstacles to restoring on-chain operations. After completing the RPC requests for core services, the team would coordinate with cross-chain bridges, CEX partners, custodians, and others to restore services.

At the same time, an operator of a Berachain MEV bot contacted the foundation after the chain was paused, claiming to be a "white hat" extracting funds and sending on-chain messages. They expressed willingness to pre-sign a series of transactions to transfer the funds back once the blockchain was back online.

Security first or decentralization?

"We know this is controversial, but when approximately $12 million of user assets are at risk, protecting users is the only option," said Berachain co-founder Smokey The Bera in response to community concerns about "centralization."

He admitted in a statement that Berachain has not yet reached the level of decentralization of Ethereum, and the coordination mechanism among validators resembles a "crisis command center" rather than an automated consensus network. The fact is that on-chain nodes synchronized their shutdown within an hour of the vulnerability appearing, demonstrating the efficiency of centralized decision-making while exposing the degree of centralization in governance.

Community reactions quickly became polarized.

Supporters argue that this move reflects the team's sense of responsibility for user safety and is "realistic decentralization"; opponents accuse it of violating the principle of "Code is Law" and being a blatant betrayal of on-chain irreversibility.

On-chain detective ZachXBT commented, "In a situation where user funds are at risk, this is a difficult but correct decision."

However, some radical developers bluntly stated, "If a blockchain can be paused at any time by human intervention, what difference does it have from traditional financial systems?"

The shadow of the DAO incident reappears

This turmoil has reminded many industry insiders of the 2016 Ethereum DAO hack. At that time, Ethereum decided to roll back transactions through a hard fork to recover the stolen $50 million, resulting in a split in the community into Ethereum (ETH) and Ethereum Classic (ETC).

Nine years later, a similar choice has emerged again.

The difference is that this time the protagonist is a public chain still in its early development stages, lacking sufficient decentralization and global consensus support.

Although Berachain's human intervention prevented larger losses, it once again raised philosophical questions about whether "blockchains can truly be autonomous."

In a sense, this is also a mirror of the DeFi ecosystem: security, efficiency, decentralization — the balance among the three has never truly been achieved.

When hackers can destroy tens of millions of dollars in assets in seconds, "ideals" often have to give way to "reality."

Balancer officials stated that the team is working with top security researchers to plan the release of a complete post-incident analysis report and reminded users to beware of fraudulent messages impersonating security teams.

Berachain, on the other hand, expects to gradually restore block production and transaction functions after the hard fork is completed.

However, restoring trust is more difficult than fixing vulnerabilities. For an emerging public chain, pausing the chain is a short-term fix but may leave long-term scars in the community. Users will question the authenticity of its decentralization, and developers will worry about whether there are still immutable guarantees.

The world of DeFi may be redefining decentralization, not as absolute laissez-faire, but as finding the minimal compromise consensus in times of crisis.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarTechub News
26 minutes ago
Finternet 2025 Asia Digital Finance Summit successfully concluded: Over 1,500 global leaders reached a consensus on a new path to "serve the real economy."
avatar
avatarPANews
51 minutes ago
$128 million stolen, 27 fork protocols "caught in the crossfire," the Balancer incident provides three major lessons for DeFi.
avatar
avatarPANews
1 hour ago
When AI has memory and identity: How does Unibase unleash the true potential of x402 and ERC-8004?
avatar
avatar链捕手
1 hour ago
The market is facing a significant correction; is this the midpoint or the endpoint of the cycle?
avatar
avatar深潮TechFlow
1 hour ago
NeoBank Yearbook: A Quick Overview of the Current Status of Neobanks
APP

X

Telegram

Facebook

Reddit

CopyLink