Decentralized protocol Balancer suffered an exploit, with attackers managing to drain over $116 million worth of wrapped ETH. The project’s team offered the hackers a bounty in exchange for returning the stolen funds.
The Balancer team, which operates the decentralized exchange and automated market maker, reported a potential vulnerability in the DeFi protocol affecting Balancer v2 pools.
According to Etherscan logs, an initial $70.9 million was withdrawn from the protocol, but within a few hours, the amount increased to $116.6 million. Data from Nansen shows that the transfers included wrapped Ethereum tokens:
- 6,850 StakeWise Staked ETH (OSETH);
- 6,590 Wrapped Ether (WETH);
- 4,260 Lido wstETH (wSTETH).
The attack targeted Balancer v2 pools and several of its forks. The likely cause of the exploit was a bug in the smart contract that allowed the attackers to execute an unauthorized withdrawal command.
The Balancer team announced an investigation into the incident and offered the hacker 20% of the stolen funds’ value if the assets are returned within 48 hours. Otherwise, Balancer intends to cooperate with blockchain analysts and law enforcement agencies to identify the perpetrator.
Cross-chain protocols are considered among the most vulnerable segments of the DeFi sector. This, however, isn’t Balancer’s first major attack. In 2020, the protocol lost about $0.5 million in a flash loan attack, and in August 2023, nearly $1 million was drained from its liquidity pools due to another exploit. Two years ago, attackers also hijacked Balancer’s DNS and redirected users to a phishing page, stealing around $238,000.
Following the attack, validators of the Berachain blockchain, where some of Balancer’s assets are hosted, temporarily halted the network for an emergency update. According to the Berachain Foundation, a hard fork will allow the DEX to resume operations and recover the stolen funds.
