Losses exceed $70 million! Analysis of fund flows in the Balancer security incident.

The Beosin security team conducted a detailed financial tracking of this attack and shared the results as follows:

Cover: Balancer

On November 3rd, Balancer V2 was attacked due to a contract logic vulnerability. Attackers manipulated the price of Balancer's LP tokens, profiting over $70 million. Multiple copycat projects were also affected, suffering significant losses . The Beosin security team conducted a detailed financial tracking of this attack and shares the results below:

Event Recap

On November 3, the Balancer attacker's wallet address 0x506d1f9efe24f0d47853adca907eb8d89ae03207 executed transaction 0xd155207261712c35fa3d472ed1e51bfcd816e616dd4f517fa5959836f5b48569, invoked contract 0x54b53503c0e2173df29f8da735fbd45ee8aba30d, and stole funds from the Balancer vault 0xba12222222228d8ba445958a75a0704d566bf2c8.
Based on the assets stolen from the attacker's address (WETH, osETH, wstETH, and related Balancer Pool Tokens), the stolen value exceeded $70 million at the time of the theft, calculated at market prices.
The attackers then performed a series of exchange and cross-chain transfer operations to redistribute and store these funds.

Related address

Based on Beosin Trace analysis, the following are the main relevant addresses and fund flows in this security incident:

Address 1

Address: 0xaa760d53541d8390074c61defeaba314675b8e3f

Tags: Balancer attacker (main address where stolen funds were held/aggregated)

Balance: 7,000.1 ETH

Address 2

Address: 0xf19fd5c683a958ce9210948858b80d433f6bfae2

Tags: Balancer attacker (related holding addresses)

Balance: 6,408.2 ETH

During the analysis, no clear outflow of funds from these two addresses to centralized exchanges was found.

Address 3

Address: 0x506d1f9efe24f0d47853adca907eb8d89ae03207

Tags: Balancer, attacker (initial execution address)

Beosin Trace, by tracing the complete flow of its funds across various contracts, decentralized exchange aggregators, cross-chain bridges, and wallets, discovered that the initial gas fee source of this address can be reconstructed into the following stages:

Tornado Cash → Intermediate Wallet 1 → Intermediate Wallet 2 → Cross-Chain Bridge → Intermediate Wallet 3 → 0x506d... → Cross-Chain Bridge → 0x506d...

This pattern suggests that attackers pre-fund the exploit address using a mixer, then layer the funds through several relay/cross-chain jumps before finally using that address to invoke the Balancer-related contract. The aim is to obfuscate the original source of funds before the exploit is launched .

Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests and do not reflect the position of Web3Caff. The information contained in the articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.