Synopsis: Balancer suffered a $110 million exploit due to a vulnerability in its V2 smart contracts, allowing attackers unauthorized withdrawals. Funds moved to new wallets, triggering market selloffs and security concerns.
A new security breach has shaken the decentralized finance community. Balancer, a popular DeFi protocol with over $750 million locked, appears to have lost around $110 million after attackers drained funds across multiple blockchain networks. It’s the project’s largest exploit to date, and, as someone who has followed DeFi hacks for a while, I can say that this one feels especially alarming.
Blockchain data shows the stolen assets include 6,850 osETH, 6,590 WETH, and 4,260 wstETH. These tokens were transferred into a fresh wallet, apparently controlled by the attacker, raising fears that laundering could soon follow through cross-chain bridges or decentralized mixers.
How the Exploit Happened
Security tool Decurity revealed that the attack took advantage of a faulty access control within Balancer’s “manageUserBalance” function. The flaw let anyone trigger internal withdrawals without permission. In simpler terms, the contract didn’t properly confirm who was allowed to act, giving the attacker complete freedom to pull funds from internal balances.
Researcher Defimon posted the exact cause online, stating that the vulnerability came from a logic check between msg.sender and a user-supplied op.sender. The weakness allowed execution of the UserBalanceOpKind.WITHDRAW_INTERNAL operation, essentially impersonating authorized owners. In plain English, the attacker fooled Balancer’s system into thinking they were legitimate users and quietly emptied the vault.
From what we know, the first major transfers happened around 7:48 AM UTC on November 3, when over $70 million left Balancer’s core vault on Ethereum’s mainnet. The same flaw was soon used on forked projects like Beets Finance and Stream Finance, pushing total losses across the ecosystem beyond $120 million.
Fallout Across the Ecosystem
The immediate market reaction was harsh. Balancer’s BAL token fell more than 5%, while other connected DeFi assets briefly dipped. Ethereum itself saw a quick 2% swing as traders scrambled to adjust positions. Beets Finance confirmed losses of over $3 million, and other smaller projects tied to Balancer’s Version 2 (V2) codebase also suffered damages.
Interestingly, Balancer’s V3 pools remained safe because of new design safeguards and broader pause windows. The team quickly placed impacted pools in “recovery mode,” allowing users to withdraw funds at normal value. Still, many liquidity providers are anxious as total DeFi losses in 2025 have already surpassed $3 billion. It feels like a repeating pattern audits happen, yet bugs still slip through. One developer even remarked that being “audited” in DeFi means very little when old code continues running unpatched.
Balancer confirmed in a public post that it isolated the issue to its V2 Composable Stable Pools. It promised a detailed post-mortem and a user compensation plan within 48 hours. The team also warned users not to fall for fake refund messages pretending to be official support a classic post-hack scam.
What Happens Next
As of now, the attacker’s wallet still holds funds worth over $100 million in various Ethereum-based assets. Analysts are keeping an eye on known bridges to platforms like Tornado Cash and Aztec. Even after several security audits, this incident proves that vulnerabilities can hide for years. It’s a sobering reminder that open-source finance, while innovative, remains dangerously exposed.
For liquidity providers, the advice is clear: check your exposure using the Balancer app, withdraw from affected pools, and migrate to Version 3 for safer yields. Nexus Mutual and Sherlock, two DeFi insurance providers, have already opened claims desks for users who suffered losses.
While the broader protocol remains active, this marks Balancer’s third major breach after incidents in 2021 and 2023. Personally, I find it hard not to wonder how many more lessons the DeFi world needs before stronger security becomes the norm. Until then, cautious optimism and perhaps a little skepticism seems wise.
Written By Fazal Ul Vahab C H