Original title: "Established DeFi Platform Falls: Balancer V2 Contract Vulnerability Leads to the Theft of Over $110 Million in Assets"

Original author: Wenser, Odaily Planet Daily

On November 3rd, it was reported that Balancer, a long-established DeFi protocol, had suffered a theft of over $70 million in assets. This news was subsequently confirmed by multiple sources, and the amount of stolen funds continued to rise. As of this writing, the amount of stolen assets from Balancer has increased to over $116 million. Odaily will provide a brief analysis of this matter in this article.

Details of the Balancer theft: Losses exceeded $116 million, primarily due to a vulnerability in the v2 pool smart contract.

According to on-chain information, the Balancer attackers have stolen over $116 million, primarily in the form of WETH, wstETH, osETH, frxETH, rsETH, and rETH, distributed across multiple chains including ETH, Base, and Sonic.

• Assets stolen from the Ethereum blockchain: approximately $100 million;

• Nearly $8 million in assets stolen from the Arbitrum blockchain;

• Stolen assets on the Base blockchain: nearly $3.95 million;

• Stolen assets on the Sonic blockchain: Over $3.4 million;

• Optimism on-chain stolen assets: nearly $1.57 million;

• Stolen assets on the Polygon blockchain: approximately $230,000.

Crypto KOL Adi reported that preliminary investigations indicate the attack primarily targeted Balancer's V2 vaults and liquidity pools, exploiting vulnerabilities in smart contract interactions. On-chain investigators pointed out that a maliciously deployed contract manipulated Vault calls during liquidity pool initialization. Incorrect authorization and callback handling allowed the attacker to bypass safeguards, enabling unauthorized swaps or balance manipulation between interconnected liquidity pools, resulting in the rapid theft of assets within minutes.

Based on the available information, there is no private key leak; this is purely a smart contract vulnerability.

Kebabsec auditor and Citrea developer @okkothejawa also posted, stating that "(the check error mentioned by @moo9000) may not be the root cause, because ops.sender == msg.sender in all 'manageUserBalance' calls. The security vulnerability may have occurred in a transaction before the contract for withdrawing assets was created, as it caused some state changes in the Balancer vault."

Balancer has responded, stating, "The official team is aware of the potential vulnerability affecting Balancer v2 pools. Our engineering and security teams are investigating this as a high priority. We will share verified updates and follow-up steps as soon as we obtain more information."

Berachain, which faces potential asset damage risks, responded immediately. Following the Berachain Foundation's statement, Berachain founder Smokey The Bera stated that "the Bera node group has proactively suspended the operation of the public chain to prevent the Balancer vulnerability from affecting BEX (mainly the USDe three pools)."

• Have the Ethena team disable Bera bridging.

• USDe deposits are disabled/suspended in the lending market.

• Suspension of HONEY token minting and exchange

• Communicate with CEX and other entities to ensure that the hacker's address is blacklisted.

Our goal is to recover funds as quickly as possible and ensure the safety of all LPs. The Berachain team will release the binary to relevant node validators and service providers as soon as it is ready (this involves some slot refactoring, etc., and not just modifying the Bera token balance, as the pool contains non-native assets).

For detailed on-chain information regarding the Balancer attacker, please see: https://intel.arkm.com/explorer/entity/cd756cb8-6a84-4f40-9361-f6c548544430

The Balancer hack has alarmed crypto whales the most.

As a long-established DeFi protocol, Balancer users are undoubtedly the most directly affected by this theft. For users now, the following actions can be taken:

• Withdraw funds from the Balancer v2 pool to prevent further losses;

• Revoke authorization: Use Revoke, DeBank, or Etherscan to revoke smart contract permissions for a Balancer address to avoid potential security risks;

• Stay alert: Closely monitor the Balancer attackers' next move and whether it will have a cascading impact on other DeFi protocols.

In addition, a crypto whale that had been dormant for three years was among the victims that attracted market attention during this theft.

According to LookonChain monitoring, a crypto whale, 0x0090, which had been dormant for three years, has just awakened after the Balancer platform vulnerability occurred, and is eager to withdraw its $6.5 million worth of assets from Balancer. On-chain information can be found at: https://intel.arkm.com/explorer/address/0x009023dA14A3C9f448B75f33cEb9291c21373bD8

Follow-up developments: Hackers begin token exchange scheme

According to on-chain analyst Ember, the hackers involved in the Balancer theft have begun attempting to exchange numerous Liquidity Staking Tokens (LST) for ETH. Previously, they exchanged 10 osETH for 10.55 ETH.

On-chain information shows that hackers are using Cow Protocol to continuously exchange stolen assets across multiple blockchains for assets such as ETH and USDC. Currently, the chances of recovering these stolen assets appear slim.

Odaily will continue to follow up on whether Balancer can find the vulnerability in the protocol contract in time and recover the stolen assets or provide a corresponding solution.