- Balancer attacked across multiple blockchain.
- Exploits affected Balancer v2.
- Several Balancer forks also impacted.
On Monday, Balancer, a DeFi liquidity protocol with $678 million in investor assets, lost $128 million due to a suspected malicious exploit.
Onchain data show the suspected attacker targeted funds in the protocol’s v2 vaults, which act as its central liquidity engine that aggregates tokens and facilitates trades between different liquidity pools.
“We are aware of a potential exploit impacting Balancer v2 pools,” the team said on X while adding that an investigation was underway.
Balancer didn’t immediately return a request for comment.
Losses from crypto hacks and exploits have already barrelled past $2.2 billion this year, a record-breaking sum. That’s despite considerable efforts by crypto projects to improve their security with bug bounties and audits.
Balancer’s website lists full audits of its v2 smart contracts conducted by security firms like OpenZeppelin, Trail of Bits, Certora, and ABKD.
Those firms didn’t immediately return requests for comment.
The attacker likely used an invariant manipulation attack to target Balancer’s v2 vaults, according to an initial assessment by security outfit BlockSec.
“This was a highly sophisticated exploit,” BlockSec tweeted.
Invariants are a set of mathematical rules that control token swaps in liquidity pools of protocols like Balancer.
The attacker likely deployed malicious smart contracts and fake tokens to falsify those invariant inputs that control the prices of tokens in Balancer’s liquidity pools, onchain data shows.
It likely enabled the attacker to manipulate the exchange rate of tokens, which allowed the exploiter to swap tokens at wildly favourable prices.
The result? The liquidity in the pool is drained.
The suspected attack seemingly swept across Balancer deployments on Ethereum, Base, Polygon, and Arbitrum, with the heaviest impact on Ethereum, as the exploit drained $100 million from the protocol’s coffers.
Balancer forks have also been impacted, including Beets on the Sonic Chain and Beethoven on the Optimism blockchain.
And the danger isn’t over.
There are at least 27 Balancer forks across multiple blockchains, many still vulnerable. That’s because onchain data shows the suspected attacker’s address is still spawning new contracts and minting new custom tokens, hinting at an expanding exploit campaign, rather than a digital hit-and-run.
Meanwhile, a Polymarket bet tied to crypto hacks may soon be resolved due to the Balancer exploit. The market was for whether there would be another crypto hack with losses north of $100 million before the end you of the year.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. Got a tip? Please contact him at osato@dlnews.com.
