Balancer hacked for over 120 million funds, what should you do?

The total amount stolen so far is $128.64 million, and the attack is still ongoing.

Written by: 1912212.eth, Foresight News

On the afternoon of November 3, the veteran DeFi protocol Balancer suffered a major security breach. Attackers manipulated the protocol’s core smart contracts and, within just a few hours, successfully siphoned over $110 million worth of crypto assets from multiple liquidity pools, transferring the funds from Balancer’s vault to wallets controlled by the attackers. As a result of the attack, the price of BAL dropped to around $0.9, with a 24-hour decline of 8.64%.

According to debank data, the stolen funds include $99.85 million from the Ethereum ecosystem, $7.95 million on the Arbitrum chain, $3.94 million from the Base ecosystem, $3.4 million on Sonic, and $1.56 million on the OP chain, among others.

As of 5:41 PM (UTC+8), a report from SlowMist indicated that the total amount stolen had reached $128.64 million, with an additional $12.86 million from Berachain.

Berachain officials announced that HONEY minting and BEX pool/vault functions have been suspended. Its validator nodes have coordinated to halt the Berachain network, allowing the core team to execute an emergency hard fork to address the vulnerability related to Balancer V2 on BEX.

This massive theft prompted the dormant whale 0x0090, inactive for three years, to quickly withdraw funds from Balancer.

This incident not only exposed access control flaws in the Balancer V2 architecture but also affected multiple blockchain networks, including Ethereum mainnet, Base, Polygon, and Sonic, causing total losses to soar rapidly.

Currently, the attack is still ongoing.

Balancer, founded in 2020 and developed by Balancer Labs, is an automated market maker (AMM) protocol that allows users to create custom liquidity pools and supports adjustable weights for multiple assets. Unlike simpler AMMs like Uniswap, Balancer’s design focuses more on flexibility and capital efficiency, especially with the introduction of “Boosted Pools” and the Vault system in V2, features aimed at optimizing yields and reducing slippage. During the previous DeFi boom, Balancer’s TVL once soared to $3.239 billion.

Currently, the protocol’s TVL is only $678.44 million.

Analysis shows that this attack stemmed from an access control failure in the vault contract: the attacker used a flash loan mechanism to forge permissions and extract assets from the Boosted Pools. Specifically, the attacker manipulated rate providers to bypass authorization checks, transferring funds directly from the vault to the external address 0xAa760D53541d8390074c61DEFeaba314675b8e3f. On-chain transaction hash (0xd155207261712c35fa3d472ed1e51bfcd816e616dd4f517fa5959836f5b48569) shows that multiple transfers were completed within minutes, involving ETH derivatives such as WETH, osETH, wstETH, frxETH, rsETH, and rETH. This method is similar to past DeFi attacks, such as the access control vulnerability in the 2022 Nomad Bridge incident, but Balancer’s multi-chain deployment amplified the risk, resulting in cross-chain losses.

The root cause of this attack can be traced back to Balancer’s historical security issues. This is not the first time the protocol has been compromised:

• In June 2021, Balancer lost $500,000 due to a smart contract vulnerability;
• In August 2023, a DNS hijacking attack led to an outflow of $270,000.

The most recent small-scale vulnerability occurred in October 2025, involving manipulation of rate providers.

All these incidents point to weaknesses in the protocol’s access control and external dependencies. Since the launch of V2 in 2021, it has been running for nearly five years, undergoing multiple audits, fuzz testing, and formal verification, but vulnerabilities have still not been fully patched.

Hasu, Strategy Director at Flashbots and Lido Strategic Advisor, stated, “Balancer v2 launched in 2021 and has since become one of the most scrutinized and frequently forked smart contracts. This is very concerning. Every time a contract that has been live for so long is attacked, it (rightfully) sets back DeFi adoption by 6 to 12 months.”

Currently, the Balancer team has issued a statement saying that V2 pools may have vulnerabilities, and engineers and security teams are investigating the incident.

Foresight News advises users to withdraw funds immediately, revoke approvals (such as via Revoke.cash), and avoid any suspected phishing links.