Six incidents in five years with losses exceeding 100 millions: A history of hacker attacks on the veteran DeFi protocol Balancer

Chainfeeds Guide:

For bystanders, DeFi is a novel social experiment; for participants, DeFi hacks are expensive lessons.

Source:

TechFlow

Opinion:

TechFlow: After the incident, Balancer’s official team quickly released an announcement, admitting that a vulnerability attack potentially affecting V2 pools had been discovered. They stated that the engineering and security teams were investigating the incident with high priority and would announce verification results and follow-up measures once more information was available. At the same time, the team announced a willingness to offer a 20% white-hat bounty for the stolen assets to recover the funds, with a 48-hour deadline. Although the response was swift, it still sounded bureaucratic and failed to ease community anxiety. For DeFi veterans, Balancer being hacked has almost become a cyclical news item. Since its establishment in 2020, this once-renowned flexible market maker protocol has suffered six security incidents in five years, almost facing an annual hacker “parade.” In June 2020, Balancer lost about $520,000 due to a vulnerability in handling the deflationary token STA. The attacker exploited STA’s automatic 1% fee burn on transfers, borrowed 104,000 ETH from dYdX, and conducted 24 looped trades in the pool until all STA was depleted, leaving only 1 wei, then swapped for ETH, WBTC, LINK, and SNX at an extremely unbalanced price. This event marked Balancer’s first major setback and revealed the protocol’s fragile foundation in complex token compatibility design. In the following years, Balancer repeatedly suffered security incidents. In March 2023, it was implicated in the Euler Finance attack, losing about $11.9 million. At that time, Euler suffered a $197 million flash loan attack, and Balancer’s bb-e-USD pool held Euler eToken, resulting in affected funds being transferred to Euler, accounting for 65% of the pool’s TVL. Although the team urgently froze the pool, the losses were irrecoverable. In August of the same year, the V2 pool suffered a “rounding error” vulnerability attack. The attacker exploited precision deviations in the Boosted Pool, causing anomalies in BPT supply calculations and extracting assets at improper exchange rates. Although Balancer proactively issued a warning on August 22 and asked users to withdraw funds, five days later the hacker still succeeded, causing a loss of about $2.1 million. In September, a DNS hijacking incident occurred, where hackers used social engineering to compromise the registrar EuroDNS, hijacked the balancer.fi domain, and redirected users to a phishing site, using the Angel Drainer malicious contract to induce authorization transfers. Although this incident was not a smart contract vulnerability, it highlighted the vulnerability of Web3 protocols at the traditional internet security layer. In June 2024, Balancer’s fork project Velocore was hacked, losing $6.8 million due to an overflow vulnerability in the CPMM pool design, highlighting the systemic risks of Balancer-style architecture. The November 2025 attack is the most severe to date. Security firms Decurity and Defimon Alerts pointed out that the vulnerability stemmed from an access control logic error in the V2 protocol’s manageUserBalance function. Normally, the system should verify whether the caller is the account owner, but the code mistakenly checked whether msg.sender was equal to the user-defined parameter op.sender. Since op.sender could be arbitrarily set by the user, the attacker could forge an identity and bypass permission checks to execute the WITHDRAW_INTERNAL operation, directly extracting assets from any account’s vault. In other words, anyone could impersonate any account owner to withdraw funds. Such a fundamental access control error appearing in a mature protocol running for five years is shocking. Looking back, Balancer’s complexity and rapid iteration have led to increasingly blurred security boundaries—the custom-weight pool design allowing up to eight tokens increases flexibility but exponentially expands the attack surface. As features accumulate and technical debt builds up, Balancer’s code structure resembles a fragile tower of blocks. The latest vulnerability reveals not just a contract mistake, but a deeper concern about DeFi’s development path: amid narrative and capital frenzy, code robustness seems to have become a secondary consideration.