Decentralized finance protocol Balancer has fallen victim to what appears to be one of the largest DeFi exploits of the quarter.
According to data from Nansen, approximately $70.9 million worth of assets were initially moved to a fresh wallet, before investigators confirmed total stolen funds have surged to around $116.6 million.
Tokens moved in the first wave included 6.85K osETH, 6.59K WETH, and 4.26K wstETH, all transferred within minutes of each other to a new address controlled by the attacker.
At the time of writing, Balancer has yet to release a full post-mortem, but the team has confirmed the exploit targeted its V2 Composable Stable Pools.
How the Attack Happened
On-chain data shows the attacker exploited a vulnerability in Balancer’s V2 vaults and liquidity pools, specifically one tied to how the protocol handles smart contract interactions.
Investigators say the attacker deployed a malicious contract that manipulated Vault calls during pool initialization, allowing them to bypass Balancer’s usual safeguards. The flaw lay in improper authorization and callback handling, enabling the attacker to execute unauthorized swaps and balance manipulations across interconnected pools.
This wasn’t a slow drain, it happened fast. Within minutes, multiple pools were emptied as the exploiter chained together transactions that interacted across Balancer’s composable structure.
A key transaction on Ethereum mainnet,
tx: 0xd155207261712c35fa3d472ed1e51bfcd816e616dd4f517fa5959836f5b48569, funneled millions into a new wallet. Funds were then consolidated and appear to be routed toward mixers or bridges, likely to obscure the trail.
Why the Composable Design Amplified the Exploit
Balancer’s composable architecture is one of its core innovations, allowing multiple liquidity pools to interact dynamically. However, this flexibility also increases risk. When a flaw appears in one part of the system, it can cascade across several connected pools.
In this case, that’s exactly what happened. The exploit leveraged Balancer’s interconnected pool logic, making it possible to perform recursive swaps that pulled liquidity from multiple pools in a single coordinated strike.
Similar design-related vulnerabilities have affected other automated market makers (AMMs) in the past, especially those that handle deflationary tokens or rely heavily on pool rebalancing mechanisms.
This wasn’t a private key compromise; it was a pure smart contract exploit, emphasizing again how even audited DeFi protocols remain exposed to composability-driven risks.
Breakdown of Stolen Funds
Here’s the current picture of the stolen assets across networks, based on data aggregated by Nansen and on-chain analysts:
- Ethereum Mainnet: ~$70M drained, the primary hit
- Base & Sonic Networks: ~$7M combined
- Other chains: ~$2M+
Main stolen tokens:
WETH, wstETH, osETH, frxETH, rsETH, and rETH, bringing the total loss to roughly $110–116M across all affected networks.
At the time of the attack, Balancer (BAL) was trading around $3.38, down slightly following news of the exploit, according to CoinMarketCap.
Balancer’s Official Response
Shortly after the incident, Balancer’s team confirmed the exploit in an official statement posted on X (Twitter):
“Today, around 7:48 AM UTC, an exploit affected Balancer V2 Composable Stable Pools.
Our team is working with leading security researchers to understand the issue and will share a full post-mortem as soon as possible.”
The team noted that because the affected pools had been live on-chain for several years, many were outside the pause window, meaning they couldn’t be frozen in time to prevent the drain. Pools that could be paused have since been moved into recovery mode.
Importantly, Balancer emphasized that V3 pools and other non-Composable pools remain unaffected.
“This issue is isolated to V2 Composable Stable Pools and does not impact Balancer V3 or other Balancer pools.”
The protocol reiterated its commitment to security and transparency, highlighting its history of audits and bug bounties to encourage independent testing.
Balancer also issued a fraud alert, warning users of fake security messages circulating in the wake of the hack:
“Fraudulent messages claiming to be from the Balancer Security Team are circulating. These are not from us. Do not interact with unsolicited communications or click unknown links.”
Official updates, the team stressed, will only come from.
Community and Analyst Reactions
Blockchain analytics platforms moved quickly. Nansen first flagged the suspicious transfers, confirming the flow of funds from Balancer’s vaults into a fresh address.
Lookonchain also tracked the wallet activity in real time, providing a detailed breakdown of token movements and timing.
Meanwhile, auditing firms such as PeckShield are assisting in forensic analysis, aiming to map the exploit path and assess whether additional vulnerabilities remain open.
What You Should Do if You’re Exposed
If you have funds in Balancer V2 pools, experts recommend taking immediate action:
1. Withdraw Immediately: Remove liquidity from Balancer V2 pools, particularly those still flagged as vulnerable.
2. Revoke Approvals: Use tools like Revoke, DeBank, or Etherscan to cancel contract permissions linked to Balancer addresses.
3. Monitor Wallets: Keep an eye on your addresses through Etherscan or Dune Analytics dashboards for any unusual activity.
4. Stay Updated: Follow trusted accounts such as @lookonchain, @PeckShieldAlert, and @Balancer for verified updates.
For Balancer, this incident underscores how DeFi composability remains both a strength and a weakness. While it enables powerful integrations, it also multiplies risk across protocols.
The team’s quick response and collaboration with top security researchers show a commitment to containment and transparency, but recovery could take time.
As forensic data continues to surface, one thing is clear: the Balancer exploit serves as another reminder that DeFi remains an experimental frontier, where innovation and risk often walk hand in hand.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
