Balancer was hacked, with $128 million stolen, triggering a crisis of trust in DeFi.

CN
Cointelegraph中文
Follow
10 hours ago

This Monday (November 3), Balancer, a leading decentralized finance (DeFi) protocol on Ethereum, suffered a severe security vulnerability, with preliminary estimates of losses exceeding $128 million, making it one of the largest DeFi hacking incidents of the year to date.

According to on-chain data, multiple Balancer V2 vault contracts and liquidity pools were rapidly drained in a short period. The attacker transferred the stolen tokens to newly created wallet addresses through a series of carefully designed transactions. Subsequently, these funds were concentrated and are suspected to be laundered through mixers or cross-chain bridges.

Initial analysis shows that the attacker exploited an interaction vulnerability between the Balancer V2 vault and liquidity pools by deploying malicious contracts to manipulate the vault's calling logic during the pool initialization phase. During this process, flaws in the authorization verification and callback handling mechanisms allowed the attacker to bypass security checks, executing unauthorized asset swaps and balance manipulations, thereby quickly draining funds.

The key transaction of the attack (hash: 0xd155207261712c35fa3d472ed1e51bfcd816e616dd4f517fa5959836f5b48569) has been tracked and confirmed on the Ethereum mainnet. Several on-chain analysis firms (including PeckShield and Nansen) have intervened for forensic analysis, confirming that this was a smart contract vulnerability attack, not a private key leak incident.

Hours after the incident broke, multiple blockchain analysis firms released updated data indicating that the hacker had expanded the attack to several networks compatible with or forked from the Balancer protocol. The cumulative losses have reached approximately $128 million, distributed as follows:

  • Ethereum Mainnet: approximately $99 million
  • Berachain: approximately $12.8 million
  • Arbitrum: approximately $6.8 million
  • Base: approximately $3.9 million
  • Sonic: approximately $3.4 million
  • Optimism: approximately $1.58 million
  • Polygon: approximately $232,000

Some smaller networks have seen extremely high loss ratios. For example, Sonic, with a total locked value (TVL) of only about $150 million, had the stolen amount account for about 2%. More concerning is that the attack appears to still be ongoing.

Before the deadline, on-chain analyst Yu Jin posted on social platform X that the liquid staking project StakeWise successfully recovered 5,041 osETH, worth approximately $19.3 million, from the hacker through a contract call, reducing the losses. However, over half of the stolen assets have already been converted to Ethereum.

Industry insiders point out that Balancer's "composable design," while enhancing the protocol's flexibility, also makes the complex interactions between multiple pools a potential attack surface. This incident is similar to previous attacks on automated market maker (AMM) protocols, where vulnerabilities often arise in the handling logic of token callbacks or rebalancing mechanisms.

After the incident, Balancer's official account only released a brief statement on X, stating: "We have noticed that the Balancer v2 liquidity pools may have been attacked. The engineering and security teams are investigating the incident with the highest priority, and updates will be released as soon as confirmed information is available."

Due to the lack of further clarification, community confidence has been shaken, leading investors and users to withdraw liquidity. Analysts recommend temporarily halting interactions with Balancer pools to prevent potential unpatched vulnerabilities.

At the same time, the Balancer platform token BAL plummeted over 13% within 24 hours, indicating a significant loss of market confidence.

In the decentralized finance sector, Balancer has long been regarded as a "veteran" automated market maker (AMM), but it has suffered multiple hacking incidents over the past five years. Here are some of the more publicized and significant security events involving the Balancer protocol in the past five years:

  • June 28-29, 2020: Attackers exploited a vulnerability in a "fee + burn" token pool, using flash loans and repeated transactions to create a discrepancy between "asset balance and actual reduction," stealing approximately $500,000 (including ETH, WBTC, LINK, SNX, etc.).

  • On August 22, 2023, the Balancer team discovered a serious vulnerability in the V2 version "Boost Pool" and urged users to withdraw funds as soon as possible. However, an attack still occurred five days later. The vulnerability stemmed from rounding errors in the V2 Boosted Pool, allowing attackers to manipulate the BPT (Balancer Pool Token) supply calculation, extracting assets from the pool at unfair rates. The entire attack was completed using multiple flash loans, with different security agencies estimating losses between $979,000 and $2.1 million.

  • August 27 - September 20, 2023: Shortly after the aforementioned vulnerability was announced, attackers exploited it, causing estimated losses of about $900,000 to $1 million. Subsequently, on September 20, another front-end domain/DNS attack resulted in a loss of approximately $238,000.

The frequent attacks on Balancer reflect significant smart contract risks still present in the DeFi space. Multiple attacks have shown vulnerabilities in token mechanisms, front-end domain hijacking, and complex logical flaws in V2 core contracts, indicating that DeFi projects still have blind spots in contract design and security audits. Particularly, issues like rounding errors in the V2 Boosted Pool or flash loan exploitation demonstrate that even protocols developed by top teams cannot completely avoid vulnerabilities under complex financial logic.

However, despite the frequent security incidents, Balancer still has a large number of loyal users and community fans. This is partly due to the high yield opportunities provided by DeFi itself and the appeal of decentralized finance; on the other hand, Balancer typically offers compensation or initiates white hat rewards after each attack, with some repair and compensation mechanisms enhancing user trust. For many investors, the coexistence of high returns and high risks is an acceptable trade-off.

As for the trust issue, DeFi remains worthy of attention. Frequent attacks do not mean that DeFi as a whole is unusable, but rather remind the entire industry of the need for more robust security mechanisms, ongoing audits, and transparent risk disclosures to balance innovation and safety.

Vladislav Ginzburg, founder and CEO of OneSource, stated: "Smart contracts and financial engineering are part of the investment risks in DeFi. Therefore, smart contract audits are crucial. I believe the Balancer vulnerability does not represent a new paradigm and should not change trust or risk factors. The status quo remains unchanged."

Related: Stream Finance pauses platform operations after discovering a $93 million loss

Original article: “Balancer Hacked, $128 Million Stolen, Sparking DeFi Trust Crisis”

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarbitcoin.com
1 minute ago
Bitcoin Nosedives as a Socialist Prepares to Take Over New York City and Fears of an AI Bubble Spark a Sell-Off in Stocks
avatar
avatarDecrypt
13 minutes ago
Zcash Surging on \\\'Cypherpunk Principles\\\' as Bitcoin Alternative: Galaxy Digital
avatar
avatarDecrypt
13 minutes ago
Sam Bankman-Fried Wants Another Trial, But His Lawyer Faces Skepticism
avatar
avatarDecrypt
27 minutes ago
Bitcoin Miner MARA Revenue Hit Record High in Q3
avatar
avatarcoindesk
33 minutes ago
XRP Ledger’s Dual Utility Could Make It a Breakout ETF Play, Experts Argue
APP

X

Telegram

Facebook

Reddit

CopyLink