Balancer, a decentralized finance (DeFi) protocol with a locked value of over $750 million, appears to have been hit with its biggest exploit yet, with on-chain data showing over $110 million in digital assets drained to a new wallet.
The affected funds include 6,850 osETH, 6,590 WETH and 4,260 wstETH, blockchain data analyzed by CoinDesk showed and appear to impact vaults on Balancer version 2 (V2).
Further analysis shows that various safes have also been hit and drained in Sonic, Polygon, and Base.
How the attack took place
The attack occurred due to faulty access control in its “manageUserBalance” function, according to security tool Decurity.
The vulnerability stems from validateUserBalanceOp, which checks msg.sender against a user-provided op.sender, a logic flaw that allows unauthorized withdrawals via the UserBalanceOpKind.WITHDRAW_INTERNAL operation.
In effect, this means that attackers could trigger internal balance withdrawals from Balancer smart contracts without the proper permissions.
Loading…
The operator address has already begun consolidating assets, raising concerns about potential laundering via decentralized mixers or cross-chain bridges.
Balancer’s BAL token has fallen more than 5% since its peak on Monday, according to CoinGecko data.
The team has yet to release an official statement, although this is the project’s third known security breach, following incidents in 2021 and 2023 that collectively cost millions.
The vault is the main smart contract of Balancer, where all the tokens from each Balancer pool are actually kept. Instead of each pool managing its own funds, everything goes through this single contract.
The design, first introduced in Balancer v2, separates token accounting from pool logic (how swaps, liquidity additions, and withdrawals work). This makes pools smaller, simpler, and safer to build, and anyone can integrate a new pool design without creating a whole new DEX.
This design also appears to be affecting services built on Balancer, as the Beets Finance fork project confirmed that it was also impacted, resulting in losses of over $3 million.
DefiLlama shows that more than $60 million is tied up in services built on Balancer V2, putting funds at potential risk of depletion if the protocols have not installed additional security measures to mitigate risks in the event of exploitation of the parent contract.
UPDATE (November 3, 9:17 AM UTC): Updates the title and story throughout to add new exploit value and more context on how the attack occurred.
