The breach targeted Balancer V2’s Vault module, where attackers exploited a callback authorization flaw. This vulnerability allowed malicious contracts to manipulate liquidity pools and execute unauthorized transfers — not due to private key leaks, but a logic weakness within the contract design itself.
Type of assets affected: ETH and multiple liquid staking tokens (LSTs) such as WETH, rETH, frxETH, osETH, and rsETH

(Image source: lookonchain)
Blockchain analysis confirmed that the Ethereum mainnet bore the brunt of the losses. However, the exploit extended across major networks including Arbitrum, Base, Sonic, Optimism, and Polygon, showcasing the attacker’s deep technical understanding of cross-chain liquidity structures.
Security analysts discovered that the hacker deployed malicious contracts during pool initialization, exploiting a timing issue in the Vault’s state update mechanism. The vulnerability enabled unauthorized swaps and cross-pool balance manipulation, allowing for rapid fund extraction before detection.
Auditors from kebabsec and other independent developers noted that the flaw originated from state inconsistencies before asset withdrawal, rather than a straightforward permission check failure.
As panic spread through the DeFi community, several projects with integrations to Balancer moved quickly:

(Image source: lookonchain)
Blockchain trackers observed dramatic activity from a dormant wallet (0x0090) that had been inactive for over three years. Moments after the exploit was disclosed, the whale withdrew over $6.5 million from Balancer — a clear indicator of the market’s growing fear and DeFi users’ hypersensitivity to protocol security.
On-chain data shows the hacker has been systematically converting stolen LSTs into ETH and USDC through Cow Protocol and various DEX platforms.
Example: 10 osETH → 10.55 ETH, a sign of ongoing laundering through decentralized exchanges and token mixers.
So far, no recovery attempts have succeeded, with security teams focusing on address flagging and real-time monitoring.
If you interacted with Balancer or hold assets in its pools, immediate steps are recommended:
1.Withdraw all funds from Balancer V2 pools to minimize potential losses.
2.Revoke approvals using tools like Revoke.cash or DeBank to prevent further access by compromised contracts.
3.Stay informed by following Balancer’s official updates and community security channels.
The Balancer exploit underscores a persistent issue in DeFi — the fragility of smart contract systems. While decentralization empowers users, it also places the full weight of risk on them and the developers maintaining protocol integrity.
This incident serves as both a devastating loss and a critical learning moment for the industry, emphasizing the need for more rigorous audits, layered defense mechanisms, and faster incident response frameworks.
The Balancer attack is not merely another DeFi hack — it’s a defining event in the ongoing evolution of blockchain security. As projects rebuild and users regain trust, one lesson remains clear: innovation must not come at the expense of security.
This is not investment advice. This information is provided for informational purposes only and should not be construed as a recommendation to buy, sell, or hold any asset. Cryptocurrency trading involves a risk of loss. Gate US services may be restricted in certain jurisdictions. For more information, please see our legal disclosures: https://us.gate.com/legal/disclosures





