Balancer DeFi protocol hit by $128 Million exploit
Learn More
Decentralized finance protocol Balancer has fallen victim to one of the largest thefts in 2025. Attackers have drained approximately $128.64 million in digital assets from multiple blockchain networks on November 3, 2025.
The attack targeted Balancer's version 2 (V2) pools, was confirmed by blockchain security firm PeckShield. Balancer acknowledged the incident, stating: "We're aware of a potential exploit impacting Balancer v2 pools. Our engineering and security teams are investigating with high priority."
The attack exploited a vulnerability in Balancer's core smart contract architecture, allowing unauthorized withdrawals from the protocol's vault system. The vulnerability was caused by a faulty access control in the "manageUserBalance" function. The validateUserBalanceOp check, which incorrectly compared msg.sender against a user-supplied op.sender parameter. This allowed attackers to trigger unauthorized internal balance withdrawals using the UserBalanceOpKind.WITHDRAW_INTERNAL operation, effectively enabling them to drain funds from Balancer's core vault.
Example attack:
1. Attacker tells Balancer: "I want to withdraw funds using the WITHDRAW_INTERNAL operation, and the owner of these funds is address 0xATTACKER" (providing their own address as the "owner").
2. Balancer's security check asks: "Does the person making this request (0xATTACKER) match the address they claim owns the funds (0xATTACKER)?" The answer is YES, so the check passes even though the attacker doesn't actually own the funds in the vault.
3. Because the check passed, Balancer releases the funds from the vault to the attacker's address, even though those funds actually belonged to other users. The attacker repeats this across multiple pools and chains, draining $128 million.
The vault is Balancer's core smart contract where all tokens from every Balancer pool are held. Instead of each pool managing its own funds, everything routes through this single contract. This design, first introduced in Balancer v2, separates token accounting from pool logic, but has created a single point of failured that attackers exploited.
Stolen Digital Assets:
- 6,587-6,590 WETH (Wrapped Ethereum) valued at approximately $24.5 million
- 6,850-6,851 osETH (StakeWise Staked ETH) valued at approximately $26.9 million
- 4,260 wstETH (Wrapped Staked ETH) valued at approximately $19.3 million
- Additional assets across multiple blockchain networks
Cyvers Alerts reported that one of the attacker's wallets had been funded through Tornado Cash before the exploit began, raising concerns about potential laundering through decentralized mixers and cross-chain bridges. The attacker began consolidating assets immediately following the attack, suggesting preparation for money laundering operations.
The breach extended beyond Balancer itself, affecting projects built on top of the Balancer V2 infrastructure. Beets Finance, a fork project utilizing Balancer's codebase, confirmed it was also impacted, resulting in over $3 million in losses.
Balancer's native BAL token dropped over 5% immediately following the breach announcement. The incident contributed to broader cryptocurrency market volatility, with Bitcoin falling below $108,000 amid widespread panic in the decentralized finance sector.
Security firms urged all users to revoke Balancer-related token approvals and monitor their wallet activity.
As of the latest updates, Balancer's engineering and security teams continue investigating the full scope of the breach, and the team has stated it will share verified updates and next steps once more information becomes available.
