{"id":90602,"date":"2025-11-03T12:37:36","date_gmt":"2025-11-03T09:37:36","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=90602"},"modified":"2025-11-04T06:02:51","modified_gmt":"2025-11-04T03:02:51","slug":"balancer-defi-protocol-suffers-128m-hack","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/balancer-defi-protocol-suffers-128m-hack\/","title":{"rendered":"Balancer DeFi protocol suffers $128m hack"},"content":{"rendered":"<p>Unknown attackers breached the decentralised protocol Balancer. According to the latest data, at least $128m was drained.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Update: <a href=\"https:\/\/twitter.com\/Balancer?ref_src=twsrc%5Etfw\">@Balancer<\/a> and its forks are under attack, with total losses across multiple chains reaching ~$128.64M so far. <a href=\"https:\/\/t.co\/67XGX5RcRR\">https:\/\/t.co\/67XGX5RcRR<\/a> <a href=\"https:\/\/t.co\/FIwx20ALSz\">pic.twitter.com\/FIwx20ALSz<\/a><\/p>\n<p>\u2014 PeckShieldAlert (@PeckShieldAlert) <a href=\"https:\/\/twitter.com\/PeckShieldAlert\/status\/1985281156259201044?ref_src=twsrc%5Etfw\">November 3, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Nansen analysts were among the first to flag suspicious transfers of WETH, osETH and wstETH to a fresh wallet.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">.<a href=\"https:\/\/twitter.com\/Balancer?ref_src=twsrc%5Etfw\">@Balancer<\/a> potentially exploited.<\/p>\n<p>$70.9M moved to a fresh wallet. Tokens moved:<br \/>\u2014 6.85K <a href=\"https:\/\/twitter.com\/search?q=%24OSETH&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$OSETH<\/a><br \/>\u2014 6.59K <a href=\"https:\/\/twitter.com\/search?q=%24WETH&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$WETH<\/a><br \/>\u2014 4.26K <a href=\"https:\/\/twitter.com\/search?q=%24wSTETH&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$wSTETH<\/a> <a href=\"https:\/\/t.co\/kk1hnjmcIW\">pic.twitter.com\/kk1hnjmcIW<\/a><\/p>\n<p>\u2014 Nansen \ud83e\udded (@nansen_ai) <a href=\"https:\/\/twitter.com\/nansen_ai\/status\/1985257594525721081?ref_src=twsrc%5Etfw\">November 3, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The attack ran for several hours.<\/p>\n<p>Mikko Ohtamaa, co-founder and CEO of Trading Strategy, suggested a faulty smart-contract check was to blame. He added that concurrent transactions were altering internal balance accounting.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">An OG Ethereum DEX Balancer got rekt for ~$70M.<\/p>\n<p>GM.<\/p>\n<p>Root cause (kudos to Defimon Signals) was a faulty check.<\/p>\n<p>Still not clear what Balancer versions are affected, but not all of them. <a href=\"https:\/\/t.co\/eVfRugvZlO\">https:\/\/t.co\/eVfRugvZlO<\/a> <a href=\"https:\/\/t.co\/Ao6CkU0BFk\">pic.twitter.com\/Ao6CkU0BFk<\/a><\/p>\n<p>\u2014 Mikko Ohtamaa (@moo9000) <a href=\"https:\/\/twitter.com\/moo9000\/status\/1985262739493687351?ref_src=twsrc%5Etfw\">November 3, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>&#8220;Independent security experts have yet to determine exactly how these manipulations were carried out,&#8221; the specialist noted.<\/em><\/p>\n<\/blockquote>\n<p>According to <a href=\"https:\/\/x.com\/CyversAlerts\/status\/1985270019119329630\">Cyvers<\/a>, the hacker began laundering funds via <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-tornado-cash-mixer-and-why-was-it-sanctioned\">Tornado Cash<\/a>. Analysts at Lookonchain later <a href=\"https:\/\/x.com\/lookonchain\/status\/1985533272680776019\">noted<\/a> that the attacker started swapping the stolen funds for Ethereum. <\/p>\n<p>Amid the attack, the project\u2019s native token \u2014 BAL \u2014 fell by more than 11%. At the time of writing it trades at $0.8.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"599\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-5f0b97f969b6e233-8617480558436993-1024x599.png\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430 2025-11-04 \u0432 05.52.57\" class=\"wp-image-268887\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-5f0b97f969b6e233-8617480558436993-1024x599.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-5f0b97f969b6e233-8617480558436993-300x176.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-5f0b97f969b6e233-8617480558436993-768x449.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-5f0b97f969b6e233-8617480558436993-1536x899.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-5f0b97f969b6e233-8617480558436993-2048x1199.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Hourly BAL\/USDT chart on OKX. Source: <a href=\"https:\/\/ru.tradingview.com\/chart\/atJ4mYHE\/?symbol=OKX%3ABALUSDT\">TradingView<\/a>. <\/figcaption><\/figure>\n<p>An influencer using the pseudonym Adi said the hackers exploited a vulnerability in Balancer V2 pools. They deployed a malicious contract that tricked the system when new liquidity pools were created.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Here&#8217;s everything you need to know about the Balancer Hack:<\/p>\n<p>1. The attack targeted Balancer&#8217;s V2 vaults and liquidity pools, exploiting a vulnerability in smart contract interactions. Preliminary analysis from on-chain investigators points to a maliciously deployed contract that\u2026 <a href=\"https:\/\/t.co\/udAM4hB0OD\">pic.twitter.com\/udAM4hB0OD<\/a><\/p>\n<p>\u2014 Adi (@AdiFlips) <a href=\"https:\/\/twitter.com\/AdiFlips\/status\/1985279811011457363?ref_src=twsrc%5Etfw\">November 3, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;A faulty access-control check allowed the safeguards to be bypassed. That made it possible to move funds between linked pools without authorisation and siphon them off in minutes,&#8221; he said. <\/p>\n<\/blockquote>\n<p>The expert said the attack began with a transaction on Ethereum. The problem was exacerbated by Balancer\u2019s complex architecture, where pools interact heavily with each other. <\/p>\n<p>The project team <a href=\"https:\/\/x.com\/Balancer\/status\/1985283356582453588\">commented<\/a> on the incident, acknowledging the breach. <\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;Our engineers and security specialists are investigating as a priority. We will share verified information and next steps immediately, as soon as we have additional data,&#8221; Balancer representatives wrote. <\/p>\n<\/blockquote>\n<h2 class=\"wp-block-heading\">Whales safeguard capital <\/h2>\n<p>In response to the incident, dormant whales using the protocol stirred. One withdrew $6.5m from the platform.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">A whale 0x0090, dormant for 3 years, just woke up after the <a href=\"https:\/\/twitter.com\/hashtag\/Balancer?src=hash&#038;ref_src=twsrc%5Etfw\">#Balancer<\/a> exploit \u2014 rushing to withdraw all $6.5M from the <a href=\"https:\/\/twitter.com\/hashtag\/Balancer?src=hash&#038;ref_src=twsrc%5Etfw\">#Balancer<\/a>.<\/p>\n<p>If you still have funds on <a href=\"https:\/\/twitter.com\/hashtag\/Balancer?src=hash&#038;ref_src=twsrc%5Etfw\">#Balancer<\/a>, \u26a0\ufe0f take action and secure them now.<a href=\"https:\/\/t.co\/ocNGGobPEd\">https:\/\/t.co\/ocNGGobPEd<\/a> <a href=\"https:\/\/t.co\/nnR5td0DmZ\">pic.twitter.com\/nnR5td0DmZ<\/a><\/p>\n<p>\u2014 Lookonchain (@lookonchain) <a href=\"https:\/\/twitter.com\/lookonchain\/status\/1985271970800521294?ref_src=twsrc%5Etfw\">November 3, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In less than a day, Balancer\u2019s <span data-descr=\"total value locked\" class=\"old_tooltip\">TVL<\/span> halved \u2014 from $441m on 2 November to $270m now. <\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"453\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-656537c82a0fb384-8563429947318308-1024x453.png\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430 2025-11-03 \u0432 14.52.09\" class=\"wp-image-268837\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-656537c82a0fb384-8563429947318308-1024x453.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-656537c82a0fb384-8563429947318308-300x133.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-656537c82a0fb384-8563429947318308-768x339.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-656537c82a0fb384-8563429947318308-1536x679.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-656537c82a0fb384-8563429947318308.png 1584w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: <a href=\"https:\/\/defillama.com\/protocol\/balancer-v2\">DeFi Llama<\/a>. <\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">Impact <\/h2>\n<p>Berachain validators coordinated to halt the network so the core team could perform an emergency hard fork to return funds to users affected by the Balancer hack. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The Berachain validators have coordinated to purposefully halt the Berachain network as the core team performs an emergency hard fork to address Balancer V2 related exploits on the BEX. <\/p>\n<p>This halt has been executed purposefully, and the network will be operational shortly upon\u2026<\/p>\n<p>\u2014 Berachain Foundation \ud83d\udc3b\u26d3 (@berachain) <a href=\"https:\/\/twitter.com\/berachain\/status\/1985288599152042101?ref_src=twsrc%5Etfw\">November 3, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Developers said the ENA\/HONEY pool was affected. <\/p>\n<p>Berachain\u2019s head of ecosystem, Smokey The Bera, <a href=\"https:\/\/x.com\/SmokeyTheBera\/status\/1985291378323079301\">called<\/a> the decision controversial but necessary. He stressed that the damage was about $12m. <\/p>\n<p>In August 2023, Balancer developers <a href=\"https:\/\/forklog.com\/en\/news\/balancer-team-urged-users-to-withdraw-funds-from-pools\">reported<\/a> a critical vulnerability that affected a number of pools in the second version of the DeFi platform.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unknown attackers hacked the Balancer decentralised protocol, stealing at least $128m.<\/p>\n","protected":false},"author":1,"featured_media":90603,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Balancer hacked; losses top $128m.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1856,44,1093],"class_list":["post-90602","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-balancer-bal","tag-cybercrime","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"647","promo_type":"1","layout_type":"1","short_excerpt":"Balancer hacked; losses top $128m.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=90602"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90602\/revisions"}],"predecessor-version":[{"id":90604,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90602\/revisions\/90604"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/90603"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=90602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=90602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=90602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}