Balancer Breach: Over $116M Stolen in One of DeFi’s Largest Exploits

The Exploit: How It Happened

The breach targeted Balancer V2’s Vault module, where attackers exploited a callback authorization flaw. This vulnerability allowed malicious contracts to manipulate liquidity pools and execute unauthorized transfers — not due to private key leaks, but a logic weakness within the contract design itself.

Key Details:

• Attack vector: improper callback authorization
• Target: Balancer V2 Vault smart contracts
• Impact: $116M stolen across multiple blockchains

Type of assets affected: ETH and multiple liquid staking tokens (LSTs) such as WETH, rETH, frxETH, osETH, and rsETH

Chains and Assets Affected

(Image source: lookonchain)

Blockchain analysis confirmed that the Ethereum mainnet bore the brunt of the losses. However, the exploit extended across major networks including Arbitrum, Base, Sonic, Optimism, and Polygon, showcasing the attacker’s deep technical understanding of cross-chain liquidity structures.

Technical Breakdown

Security analysts discovered that the hacker deployed malicious contracts during pool initialization, exploiting a timing issue in the Vault’s state update mechanism. The vulnerability enabled unauthorized swaps and cross-pool balance manipulation, allowing for rapid fund extraction before detection.

Auditors from kebabsec and other independent developers noted that the flaw originated from state inconsistencies before asset withdrawal, rather than a straightforward permission check failure.

Ecosystem Reactions

As panic spread through the DeFi community, several projects with integrations to Balancer moved quickly:

• Lido withdrew unaffected liquidity positions to prevent exposure.
• Berachain temporarily halted its network and announced an emergency hard fork to patch vulnerabilities linked to Balancer V2.
• Berachain’s founder, Smokey The Bera, confirmed coordination with centralized exchanges to blacklist attacker wallets and suspend key protocol functions such as bridging, lending, and HONEY minting.

On-Chain Movements and the “Whale Reaction”

(Image source: lookonchain)

Blockchain trackers observed dramatic activity from a dormant wallet (0x0090) that had been inactive for over three years. Moments after the exploit was disclosed, the whale withdrew over $6.5 million from Balancer — a clear indicator of the market’s growing fear and DeFi users’ hypersensitivity to protocol security.

Tracking the Attacker

On-chain data shows the hacker has been systematically converting stolen LSTs into ETH and USDC through Cow Protocol and various DEX platforms.

Example: 10 osETH → 10.55 ETH, a sign of ongoing laundering through decentralized exchanges and token mixers.

So far, no recovery attempts have succeeded, with security teams focusing on address flagging and real-time monitoring.

How Users Can Protect Themselves

If you interacted with Balancer or hold assets in its pools, immediate steps are recommended:

1.Withdraw all funds from Balancer V2 pools to minimize potential losses.

2.Revoke approvals using tools like Revoke.cash or DeBank to prevent further access by compromised contracts.

3.Stay informed by following Balancer’s official updates and community security channels.

A Wake-Up Call for DeFi Security

The Balancer exploit underscores a persistent issue in DeFi — the fragility of smart contract systems. While decentralization empowers users, it also places the full weight of risk on them and the developers maintaining protocol integrity.

This incident serves as both a devastating loss and a critical learning moment for the industry, emphasizing the need for more rigorous audits, layered defense mechanisms, and faster incident response frameworks.

Conclusion

The Balancer attack is not merely another DeFi hack — it’s a defining event in the ongoing evolution of blockchain security. As projects rebuild and users regain trust, one lesson remains clear: innovation must not come at the expense of security.

Disclaimer:

This is not investment advice. This information is provided for informational purposes only and should not be construed as a recommendation to buy, sell, or hold any asset. Cryptocurrency trading involves a risk of loss. Gate US services may be restricted in certain jurisdictions. For more information, please see our legal disclosures: https://us.gate.com/legal/disclosures