Balancer—an automated market maker (AMM) protocol claiming over $750 million in total value locked (TVL)—suffered a security breach on November 3. Blockchain analytics firms like PeckShield and Lookonchain reported outflows exceeding $116 million across multiple chains, including Ethereum, Arbitrum, Base, Optimism, Polygon, and Sonic.
The attack, which reportedly began around 9:18 UTC, targeted Balancer’s V2 liquidity pools, draining assets such as 6,850 osETH, 6,590 WETH, and 4,260 wstETHfrom the protocol’s core vault contract.
The vulne rability allegedly stemmed from a critical flaw in the smart contract‘s access control mechanism. Attackers exploited improper authorization checks and callback handling during pool initialization, allowing unauthorized withdrawals of internal user balances without valid permissions.
This enabled the perpetrator to manipulate pool balances and execute illicit swaps across interconnected liquidity hubs. Early estimates pegged losses at $70 million, but the figure climbed as the exploit persisted, with funds funneled to a fresh wallet address for consolidation—potentially prepping for laundering via mixers or bridges.
The ripple effects were quite swift and severe. Balancer’s native BAL token plunged over 10%, trading near $0.90 from a prior $0.98 close, while broader market jitters (not exactly related to this incident) dragged Bitcoin below $108,000 along with significant price drops in other cryptos (but largely due to other macroeconomic factors).
Worse, the breach extended to Balancer’s forked protocols, amplifying the carnage. Berachain paused its network for an emergency hard fork to quarantine compromised V2 contracts on its BEX exchange, safeguarding an additional $60 million in dependent services.
Beets Finance on the Sonic chain confirmed similar drains, underscoring the shared codebase risks in DeFi’s modular ecosystem.
Security experts, including those from BlockSec, tallied cross-protocol losses at around $83.6 million, with Balancer’s Ethereum segment alone hit for $70 million.
Balancer’s team appears to have acted decisively, issuing a statement on X acknowledging the “potential exploit impacting V2 pools.” Their engineering and security teams have launched a high-priority probe, urging users to halt interactions with affected vaults while assuring that V3 pools remained untouched.
“We’ll share verified updates and next steps as soon as we have more information,” they posted, emphasizing transparency amid the chaos. At the time of writing, no detailed immediate recovery plan was detailed, but the response echoed lessons from Balancer’s past challenges, like a 2020 deflationary token glitch that cost half a million dollars.
This incident exposes DeFi‘s enduring fragility.
Despite audits from OpenZeppelin and Trail of Bits, just a single logic bug in five-year-old code unraveled protections, cascading risks to layered protocols like Gyroscope and Aura.
Community voices on social media seemingly echoed the prevailing sentiment: Revoke approvals, diversify exposure, and treat no protocol as invincible. As investigations unfold, the incident serves as a reminder—product development is a good thing, but addressing critical issues with smart contracts is equally if not more important. Users and builders must prioritize rigorous, ongoing safeguards to fortify this $100 billion TVL protocol against emerging threats.