Written by: David, Deep Tide TechFlow
When it rains, it pours—hackers always strike during downturns.
In the recent bearish environment of the entire crypto market, a veteran DeFi protocol has suffered another heavy blow.
On November 3rd, on-chain data showed that the Balancer protocol was suspected to have been hacked. Approximately $70.9 million in assets were transferred to a new wallet, including 6,850 osETH, 6,590 WETH, and 4,260 wstETH.
Subsequently, according to Lookonchain's monitoring of related wallet addresses, the total loss from the attack on the protocol rose to $116.6 million.
The Balancer team stated after the incident:
“A vulnerability attack that may affect Balancer v2 pools has been discovered. Our engineering and security teams are investigating this incident as a high priority and will share verified updates and follow-up measures once more information is obtained.”
In addition, the official team also publicly expressed willingness to pay 20% of the stolen assets as a white hat reward to recover the assets, valid for 48 hours.
The response was timely, but also quite official.
However, if you are a DeFi veteran, you would not be surprised by the headline "Balancer Hacked"—instead, you might feel a strange sense of déjà vu.
As a DeFi protocol established in 2020, Balancer has experienced six security incidents in five years, averaging one hack per year, and this time is just the largest amount stolen.
Looking back, when market conditions make trading extremely difficult, it is very likely that yield farming and arbitrage in DeFi are not safe either.
June 2020: Deflationary Token Vulnerability, Loss of About $520,000
In March 2020, Balancer entered the DeFi world with the innovative concept of a "flexible automated market maker." However, just three months later, this ambitious protocol encountered its first nightmare.
Attackers exploited a vulnerability in the protocol's improper handling of deflationary tokens, resulting in a loss of about $520,000.
The basic principle was that a token called STA at the time would automatically burn 1% as a fee with every transfer.
The attacker took a flash loan of 104,000 ETH from dYdX and repeatedly traded between STA and ETH 24 times. Because Balancer did not correctly calculate the actual balance after each transfer, the STA in the pool was eventually depleted to just 1 wei. The attacker then took advantage of the severely unbalanced price to swap a tiny amount of STA for a large amount of ETH, WBTC, LINK, and SNX.
March 2023: Euler Incident Collateral Damage, Loss of About $11.9 Million
This time, Balancer was an indirect victim.
Euler Finance suffered a $197 million flash loan attack, and Balancer's bb-e-USD pool was implicated because it held Euler's eToken.
When Euler was attacked, about $11.9 million was transferred from Balancer's bb-e-USD pool to Euler, accounting for 65% of the pool's TVL. Although Balancer urgently paused the relevant pools, the losses were already irrecoverable.
August 2023: Balancer V2 Pool Precision Vulnerability, Loss of About $2.1 Million
This attack actually had prior warning. On August 22nd of that year, Balancer proactively disclosed the vulnerability and warned users to withdraw funds, but the attack still occurred five days later.
The vulnerability involved a rounding error in the V2 Boosted Pool. The attacker precisely manipulated the calculation of the BPT (Balancer Pool Token) supply, causing a deviation and allowing assets to be withdrawn from the pool at an unfair rate. The attack was carried out through multiple flash loan transactions, and different security firms estimated the losses between $979,000 and $2.1 million.
September 2023: DNS Hijacking Attack, Loss of About $240,000
This was a social engineering attack, targeting not smart contracts but traditional internet infrastructure.
Hackers used social engineering to breach the domain registrar EuroDNS and hijacked the balancer.fi domain. Users were redirected to a phishing website, which used the Angel Drainer malicious contract to trick users into authorizing transfers.
The attacker then laundered the stolen funds through Tornado Cash.
Although this incident was not directly Balancer's fault, the protocol's brand was used for phishing, making it hard for people to guard against.
June 2024: Velocore Hacked, Loss of About $6.8 Million
Although Velocore is an independent project and its hack was not directly related to Balancer, as a fork of Balancer, Velocore used the same CPMM (Constant Product Market Maker) pool design, making it somewhat of a direct descendant—it's as if the theft happened elsewhere, but the mechanism originated from Balancer.
The gist of this incident is that the attacker exploited an overflow vulnerability in Velocore's Balancer-style CPMM pool contract by manipulating the feeMultiplier to exceed 100%, causing calculation errors.
The attacker ultimately used a flash loan in conjunction with a carefully crafted withdrawal operation to steal about $6.8 million.
November 2025: Latest Attack, Loss Exceeds $100 Million
The technical principle of this attack has been preliminarily clarified. According to security researchers, the vulnerability was in the access control check of the manageUserBalance function in the Balancer V2 protocol, which corresponds to user permission checks.
According to analyses by security monitoring agencies Defimon Alerts and Decurity, when verifying withdrawal permissions in Balancer V2, the system should have checked whether the caller was the actual owner of the account, but the code mistakenly checked whether msg.sender (the actual caller) was equal to the op.sender parameter provided by the user.
Since op.sender is a user-controllable input parameter, attackers could arbitrarily forge identities, bypass permission verification, and execute WITHDRAW_INTERNAL (internal withdrawal) operations.
In plain language, this vulnerability allowed anyone to impersonate the owner of any account and directly withdraw internal balances. Such a basic access control error is more like a rookie mistake, and its appearance in a mature protocol running for five years is truly astonishing.
Reflections After Reading the History of Hacks
What can we learn from this "history of hacks"?
My feeling is that DeFi protocols in the crypto world are more like something "to be admired from afar but not to be played with lightly." From a distance, all seems calm, but a closer look reveals a lot of technical debt beyond the narrative that probably needs to be repaid.
For example, one of Balancer's innovations is allowing up to eight tokens with custom weights to form a mixed pool.
Compared to Uniswap's simple design, Balancer's complexity grows exponentially.
With each additional token, the state space of the pool expands dramatically. When you try to balance the prices, weights, and liquidity of eight different tokens in one pool, the attack surface also increases. The 2020 deflationary token attack and the 2023 rounding error vulnerability were essentially both due to improper handling of edge cases brought by complexity.
Even more problematic is Balancer's choice of a rapid iteration development path. From V1 to V2, and then to various Boosted Pools, each upgrade added new features on top of old code. This accumulation of "technical debt" turned the codebase into a fragile tower of blocks;
For example, the recent attack caused by a permission issue—such a fundamental design error should not occur in a protocol that has been running for five years, which perhaps also indicates that the project's code maintenance has gotten out of control.
Or perhaps, in an era where narrative, profit, and sentiment outweigh technology, whether there are vulnerabilities in the underlying code is no longer important.
Balancer certainly won't be the last. You never know when the next black swan event, stacked by various composabilities in DeFi, will arrive. The complex dependency networks in the DeFi world make risk assessment almost impossible.
Even if you trust Balancer's code, can you trust all its integrations and partners?
For bystanders, DeFi is a novel social experiment; for participants, a DeFi hack is an expensive lesson; for the entire industry, DeFi soundness is the tuition that must be paid on the road to maturity.
We just hope this tuition won't be too expensive.
