Author: Frank, PANews
On November 3, a tear opened in the sky of the DeFi world. The treasury address of the established DeFi protocol Balancer experienced an abnormal large fund transfer. In the following hours, the entire industry witnessed a disaster unfold in real-time, with the damaged funds rising from the initially reported $70 million to a staggering $128.64 million.
Behind the massive amount of losses is the fact that the Balancer V2 protocol has as many as 27 "forked protocols," all of which face systemic risks from this long-standing fatal vulnerability.
Balancer V2 Hacked, $128 Million Stolen
On November 3, the on-chain security company Pionex noticed abnormal transfers occurring in the Balancer V2 treasury. A large amount of wrapped Ethereum (WETH) and liquid-staking derivatives (wstETH, osETH) were transferred to a new wallet.
The Balancer team quickly confirmed that an on-chain attack had indeed occurred, and with continuous monitoring, the final estimated loss reached $128 million. The Balancer team stated that the attack was strictly limited to the V2 Composable Stable Pools. Its newer V3 architecture and other V2 pool types (such as weighted pools) were not affected.
As of November 4, the Balancer team had not disclosed the specific cause of the attack. However, analyses from several security firms and on-chain analysts suggest that the root of the attack lies in a "faulty access-control check."
The attacker sent a maliciously constructed instruction to the treasury by calling the manageUserBalance function of the V2 protocol. This instruction deceived the protocol's internal ledger into believing that "the protocol had just received a large fee," and that "the ownership of this fee belonged to the attacker." Subsequently, the attacker invoked a normal withdrawal request, transferring the massive assets to their own accounts.
From a technical perspective, the completion of this attack was not about the strength of technical capabilities, but rather the attacker cleverly exploited a logical flaw within the protocol. Some analysts believe that the hacker left console logs during the attack, and based on the habits of the traces, it is highly likely that this hacker used an AI large model to write and review the code, thus discovering flaws overlooked by human auditors.
27 Forked Protocols "Caught in the Crossfire," Emergency Measures Activated Across Chains
Compared to the hacker's clever attack methods, what truly disappointed the industry was that Balancer V2 had previously undergone a total of 11 audits by four different security firms: OpenZeppelin, Trail of Bits, Certora, and ABDK, yet still failed to uncover this vulnerability.
Ironically, the specific component exploited in this attack, the Composable Stable Pool, had undergone a special audit by Certora and Trail of Bits in September 2022.
As a DeFi protocol that has been online for many years and appears to have been market-tested, the Balancer V2 protocol has developed as many as 27 "forked protocols," all of which inherited this logical flaw from Balancer V2. For hackers, this vulnerability is like having a master key that can open the treasuries of these forked protocols with similarly flawed code at any time.
In fact, this hacker attack has spread across multiple chains. Among them, the Balancer V2 on the Ethereum mainnet (the main protocol) suffered the most severe damage, with estimated losses reaching $100 million. Next is the BEX protocol on Berachain, with potential losses of up to $12.86 million. Additionally, protocols on seven public chains, including Arbitrum, Base, and Sonic, were affected by this attack.
Faced with this unforeseen disaster, the industry is confronted with a dilemma: should it adhere to the decentralized fundamentalism of "code is law" and watch user funds be stolen? Or should it take centralized intervention measures to protect users?
The most severely affected Berachain made the most radical and controversial decision: coordinating validation nodes to suspend the entire network's operation. By rolling back transactions, Berachain saved over $12 million in assets at risk on the BEX exchange.
Of course, this inevitably sparked controversy within the community, with some questioning, "Doesn't this completely undermine the finality and security of your 'chain'? Now it seems more like a private chain rather than a public blockchain?" In response, Berachain's anonymous co-founder Smokey the Bera stated, "I believe your concerns are valid, but I think extraordinary situations require extraordinary measures—similar actions have been seen in past cases like Sui and Hyperliquid."
Most community members still supported this decision, as the malignant impact of the heavily damaged fund pool could far outweigh the so-called "decentralization" belief.
The Sonic chain activated an "on-chain account freeze mechanism," locking the attacker's wallet and the $3.4 million within it without stopping the network. Polygon's validation nodes began actively "reviewing" transactions from the attacker's address.
Multiple Vulnerability Incidents, TVL Halved Triggering a Trust Crisis
The history of Balancer's development is, in fact, a history of complex logical vulnerabilities constantly at play. Previously, Balancer had encountered multiple hacker attacks, with at least five vulnerability incidents occurring from 2020 to 2025. These attack methods ranged from the earliest flash loan attacks to more complex V2 enhanced pool vulnerabilities.
However, in past cases, the amount of damage was generally between hundreds of thousands to two million dollars. For Balancer, these past attack incidents were more like opportunities to patch vulnerabilities. This time, with estimated losses exceeding $100 million, it directly shattered the market's trust and confidence in Balancer.
According to data from Defillama, after the attack occurred, Balancer's TVL plummeted from $776 million to $345 million, a drop of over half. In particular, the TVL of Balancer V2 directly decreased by $230 million, and the forked protocols of Balancer V2 withdrew from the fund pools, with the TVL of Gaming DEX dropping by 87% in one day, and Beets DEX declining by 48%.
Lido also stated that although the Lido protocol was not affected, it had withdrawn its unaffected Balancer positions out of caution.
In fact, forked protocols like Gaming DEX later stated that they were not actually affected, but withdrew most of their funds for safety considerations.
For DeFi protocols, trust is more important than gold, especially against the backdrop of a history of repeated attacks. As of November 4, according to official sources, StakeWise DAO has recovered over $20 million in losses from the hacker through multi-signature contract calls. This has reduced the total amount lost to $98 million. Meanwhile, the transfer of the hacker's assets is still ongoing, with over half already converted to ETH.
This $128 million attack has become an expensive lesson in the growth process of DeFi, raising three sharp questions:
When 11 audits of the "gold standard" fail to uncover a fatal vulnerability that has been lurking for two years, what is the significance of "auditing"?
When "code contagion" becomes the norm, and a vulnerability in a foundational protocol can instantly destroy 27 derivative protocols, is DeFi's composability innovation or a curse?
When emerging public chains are forced to choose between "decentralization" and "saving users," has the ideal of "code is law" already given way to "pragmatic centralization"?
In the future, DeFi's security may no longer rely solely on more audits but rather on simpler, more robust protocol designs that fundamentally reduce attack surfaces. For those users who lost trust and capital in this incident, the cost of this realization is incredibly heavy.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
