Balancer Drained Of $110 Million As DeFi Protocol Suffers Biggest Exploit Yet
Decentralized finance (DeFi) protocol, Balancer, which has over $750 million in locked-up value, seems to have been hit with its largest exploit yet.
On-chain data shows that more than $110 million in digital assets has been drained from the platform to a new wallet. These funds include 6,850 osETH, 6,590 WETH, and 4,260 wstETH.
The attack also appears to have impacted vaults on Balancer version 2 (V2), with the on-chain data showing that vaults across Sonic, Base and Polygon have been drained.
This marks the third security breach for the project, which was also exploited in 2021 and 2023. These prior incidents had collectively cost the project millions.
Balancer Says It’s Aware Of The Potential Exploit
According to security tool Decurity, the attack on Balancer occurred due to a faulty access control in its “manageUserBalance” function.
The vulnerability that was exploited stemmed from “validateUserBalanceOp,” which checks msg.sender against a user-supplied op.sender. This logic flaw is what allowed unauthorized withdrawals through the UserBalanceOpKind.WITHDRAW_INTERNAL operation.
That essentially lets the attackers trigger internal balance withdrawals from the protocol’s smart contracts without having the proper permissions to do so.
Balancer took to X and said that it is aware of the potential exploit impacting its V2 pools.
“Our engineering and security teams are investigating with high priority,” the project said.
New Balancer Design Opens Forks Up To Exploit As Well
The vault that is being attacked is Balancer’s smart contract. This is where all of the tokens from every Balancer pool are actually held. Every pool routes through this single smart contract instead of each pool managing its own tokens.
That design was introduced in Balancer V2, and was launched to separate token accounting logic from pool logic, which makes pools smaller, simpler, and safer to build. As such, anyone can just plug in a new pool design without creating a whole decentralized exchange (DEX) first.
However, that design seems to be impacting services built on top of Balancer. A fork project called Beets Finance has confirmed that it was impacted and has lost over $3 million.
Meanwhile, on-chain security firm PeckShieldAlert posted on X that the attack on Balancer and its forks is still ongoing. The firm estimated that the total losses so far stands at approximately $128.64 million.
In response to the attack, Berachain also announced that its validators have coordinated to “purposefully halt the Berachain network” so that the team can perform an emergency hard fork to address Balancer V2 related exploits on its BEX platform.
BAL Token Price Slides 4% On Exploit
The price of Balancer’s native token, BAL, has slid more than 4% following the exploit, according to CoinMarketCap data.
BAL price (Source: CoinMarketCap)
After the latest correction, the crypto trades at $0.9487 as of 6:02 a.m. EST.
The exploit has exerted additional selling pressure on BAL, which has been in a sustained bearish trend on the longer-term time frames. CoinMarketCap data shows that the crypto has plunged over 14% and 24% in the last week and month, respectively.
Related Articles:
About Author
About Author
