The total amount stolen so far is $128.64 million, and the attack is still ongoing.
Written by: 1912212.eth, Foresight News
On the afternoon of November 3rd, the established DeFi protocol Balancer suffered its third major security breach in its history. Attackers manipulated the protocol's core smart contracts, successfully withdrawing over $110 million worth of crypto assets from multiple liquidity pools from Balancer's vault to attacker-controlled wallets within just a few hours. As a result of the attack, the price of BAL (Bill of Materials) fell to around $0.9, a 24-hour drop of 8.64%.
According to data from Debunk, the stolen funds included $99.85 million in the Ethereum ecosystem, $7.95 million on the Arbitrum chain, $3.94 million in the Base ecosystem, $3.4 million on Sonic, and $1.56 million on the OP chain.
As of 5:41 p.m., an investigation by SlowMist showed that the total amount stolen was $128.64 million, including $128.6 million from Berachain.
Berachain has officially announced the suspension of HONEY minting and BEX pool/vault functionality.
Such a massive theft prompted 0x0090, a whale that had been dormant for three years, to quickly take action and extract funds from Balancer.
This incident not only exposed access control flaws in the Balancer V2 architecture, but also affected multiple blockchain networks, including the Ethereum mainnet, Base, Polygon, and Sonic, causing total losses to rise rapidly.
The attack is still ongoing.
Founded in 2020 and developed by Balancer Labs, Balancer is an Automated Market Maker (AMM) protocol that allows users to create custom liquidity pools and supports weighted adjustments across multiple assets. Unlike simpler AMMs like Uniswap, Balancer is designed with greater flexibility and capital efficiency in mind, especially with the introduction of Boosted Pools and Vault systems in version 2, features designed to optimize yields and reduce slippage. During the last DeFi boom, Balancer's TVL (TVL) reached a peak of $3.239 billion.
Currently, the TVL of the agreement is only $678.44 million.
Analysis reveals that the attack stemmed from an access control malfunction in the vault contract: the attacker exploited a flash loan mechanism to forge permissions and withdraw assets from the boosting pool. Specifically, the attacker, through a manipulation rate provider, bypassed authorization checks and directly transferred funds from the vault to an external address 0xAa760D53541d8390074c61DEFeaba314675b8e3f. On-chain transaction hashes (0xd155207261712c35fa3d472ed1e51bfcd816e616dd4f517fa5959836f5b48569) show that the attack completed multiple transfers within minutes, involving ETH derivatives such as WETH, osETH, wstETH, frxETH, rsETH, and rETH. This method is similar to past DeFi attacks, such as the Nomad Bridge access control vulnerability in 2022, but Balancer's multi-chain deployment amplified the risk, leading to cross-chain losses.
The attack can be traced back to Balancer's historical security issues. This is not the first time the protocol has been compromised.
In June 2021, Balancer lost $500,000 due to a smart contract vulnerability;
In August 2023, another $270,000 was lost due to a DNS hijacking attack.
The most recent small-scale vulnerability occurred in October 2025, involving manipulation of rate providers.
These incidents all point to weaknesses in the protocol's access control and external dependencies. Version 2 has been running for nearly 5 years since its release in 2021 and has undergone multiple audits, fuzz tests, and formal verifications, but it still failed to completely plug the vulnerabilities.
Currently, the Balancer team has issued a statement saying that there may be a vulnerability in the V2 pool, and engineers and the security team are investigating the incident.
Foresight News advises users to immediately withdraw funds, withdraw approvals (such as on Revoke.cash), and avoid any suspected phishing links.
