Balancer code issue causes losses exceeding 100 millions, delivering an almost devastating blow to the DeFi industry

Original Title: "Veteran DeFi Falls: Balancer V2 Contract Vulnerability, Over $1.1 Billion in Assets Stolen"

Original Author: Wenser, Odaily

Note from Rhythm: Today, the DeFi protocol Balancer suffered a hacker attack, with the amount of stolen funds now exceeding $1.16 billion. Several projects have taken self-rescue measures: Lido has withdrawn its unaffected Balancer positions; Berachain has directly announced a network suspension to carry out an emergency hard fork to fix the BEX-related vulnerability with Balancer V2.

In addition, Hasu, Strategic Director of Flashbots and Strategic Advisor to Lido, posted, "Balancer v2 launched in 2021 and has since become one of the most watched and frequently forked smart contracts. This is very concerning. Every time a contract that has been live for so long is attacked, it sets DeFi adoption back by 6 to 12 months." The following is the original content:

On November 3, the veteran DeFi protocol Balancer was reported to have lost over $70 million in assets to theft. Subsequently, this news was confirmed by multiple sources, and the scale of stolen funds continued to rise. At the time of writing, the amount of assets stolen from Balancer has increased to over $1.16 billion. Odaily provides a brief analysis of this incident in this article.

Details of the Balancer Theft: Losses Exceed $1.16 Billion, Mainly Due to V2 Pool Smart Contract Vulnerability

According to on-chain information, the attacker of Balancer has now stolen more than $1.16 billion, with the main stolen assets including WETH, wstETH, osETH, frxETH, rsETH, rETH, spread across multiple chains such as ETH, Base, Sonic, and others. Specifically:

· Assets stolen on Ethereum: about $1 billion;

· Assets stolen on Arbitrum: about $8 million;

· Assets stolen on Base: about $3.95 million;

· Assets stolen on Sonic: over $3.4 million;

· Assets stolen on Optimism: about $1.57 million;

· Assets stolen on Polygon: about $230,000.

Crypto KOL Adi posted that preliminary investigations show that the attack mainly targeted Balancer's V2 vaults and liquidity pools, exploiting vulnerabilities in smart contract interactions. On-chain investigators pointed out that a maliciously deployed contract manipulated Vault calls during the initialization of liquidity pools. Incorrect authorization and callback handling allowed the attacker to bypass safeguards, enabling unauthorized swaps or balance manipulation between interconnected liquidity pools, resulting in rapid asset theft within minutes.

Based on current information, there was no private key leak; this was purely a smart contract vulnerability.

Auditor from kebabsec and citrea developer @okkothejawa also posted, "(The check error mentioned by @moo9000) may not be the root cause, as in all 'manageUserBalance' calls ops.sender == msg.sender. The security vulnerability may have occurred in the transaction before the contract for asset extraction was created, as it caused some state changes in the Balancer vault."

Balancer's official team also responded: "The official team is aware of the potential vulnerability affecting Balancer v2 pools. Our engineering and security teams are prioritizing the investigation. Once more information is available, we will immediately share verified updates and next steps."

Berachain, which also faces potential asset risk, responded immediately. After a post from the Berachain Foundation, Berachain founder Smokey The Bera stated, "The Bera node group has proactively suspended the public chain to prevent the impact of the Balancer vulnerability on BEX (mainly the USDe three-pool).

· Requesting the Ethena team to disable Bera bridging

· Disabling/pausing USDe deposits in the lending market

· Pausing HONEY token minting and redemption

· Communicating with CEXs and others to ensure hacker addresses are blacklisted

Our goal is to recover funds as quickly as possible and ensure the safety of all LPs. The Berachain team will release binaries to relevant node validators and service providers as soon as they are ready (since the pool contains non-native assets, some slot restructuring is involved, not just modifying Bera token balances)."

With Balancer Hacked, Crypto Whales Are the Most Anxious

As a veteran DeFi protocol, Balancer's users are undoubtedly the most directly affected by this theft. For current users, actions that can be taken include:

· Withdrawing funds from Balancer v2 pools to avoid further losses;

· Revoking authorizations: Use Revoke, DeBank, or Etherscan to cancel smart contract permissions for Balancer addresses to avoid potential security risks;

· Staying alert: Closely monitor the next moves of the Balancer attacker and whether there will be a chain reaction affecting other DeFi protocols.

In addition, this theft incident drew market attention to a crypto whale that had been dormant for three years.

According to LookonChain monitoring, a crypto whale 0x0090, dormant for three years, just woke up after the Balancer platform vulnerability occurred, urgently withdrawing about $6.5 million in related assets from Balancer.

Follow-up: Hacker Begins Token Swapping

According to on-chain analyst Yujin, the hacker behind the Balancer theft has begun trying to swap various liquid staking tokens (LST) for ETH. Previously, they swapped 10 osETH for 10.55 ETH.

On-chain information shows the hacker is continuously using Cow Protocol to swap stolen assets from multiple chains for ETH, USDC, and other assets. At present, the hope of recovering these stolen assets seems slim.

Going forward, whether Balancer can promptly identify the protocol contract vulnerability and recover the stolen assets or provide corresponding solutions, Odaily will continue to follow up.

Original Link