Balancer, with its tarnished history of scandals, still has fans despite being hacked even after 11 audits.

Deng Tong, Jinse Finance

On November 3, 2025, the DeFi protocol Balancer was hacked, resulting in the theft of over $100 million in digital assets. On November 4, Balancer V2 composable stable pools were attacked again. Coincidentally, after the first attack, the Balancer team had already pointed out: "We have noticed a potential vulnerability in the Balancer v2 pool, and our engineering and security teams are prioritizing the investigation."

This article reviews the events of Balancer being attacked twice in two days, lists various reactions, summarizes Balancer's dark history, and discusses why Balancer still has a large following despite frequent security incidents.

I. Review of Balancer's Two Attacks in Two Days

On Monday, the decentralized exchange and automated market maker Balancer was hacked, and digital assets worth over $116 million were transferred to a newly created wallet.

The Balancer team posted on the X forum on Monday: "We are aware of a vulnerability that may affect Balancer v2 pools. Our engineering and security teams are investigating this as a high priority." Further updates will be shared as soon as they become available. Initial on-chain data shows that Balancer was attacked, resulting in the loss of $70.9 million worth of liquid staked Ethereum. Etherscan logs show that the Ethereum was transferred to a new wallet through three transactions.

In a post on X, the crypto intelligence platform Nansen stated that the stolen assets included 6,850 StakeWise staked ETH (OSETH), 6,590 Wrapped Ether (WETH), and 4,260 Lido wstETH (wSTETH).

The crypto intelligence platform Nansen stated in an X post that the stolen assets included 6,850 StakeWise staked ETH (OSETH), 6,590 Wrapped Ether (WETH), and 4,260 Lido wstETH (wSTETH).

But the stolen assets are not just $70.9 million; the amount stolen continues to grow. According to blockchain data platform Lookonchain, as of 8:52 AM UTC on Monday, the ongoing attack has increased the stolen funds to over $116.6 million.

Balancer previously announced on the blockchain that it was willing to pay 20% of the stolen assets as a white-hat reward to help recover the assets, valid for 48 hours. If the funds are not returned within the next 48 hours, Balancer will continue to cooperate with blockchain forensics experts and law enforcement agencies to identify the perpetrators. Balancer stated, "Our partners are highly confident that the access log metadata collected through our infrastructure can identify you. This metadata shows connections from a defined set of IP addresses/ASNs and entry timestamps associated with on-chain transaction activity." Following this, Balancer tweeted: "We are aware of a potential vulnerability in Balancer v2 pools. Our engineering and security teams are prioritizing an investigation. We will share verified updates and follow-up actions as soon as we have more information." Adding insult to injury, this morning, Balancer was attacked again, this time targeting the potentially vulnerable Balancer V2 composable stable pool mentioned yesterday. Balancer posted on its X platform, stating, "At approximately 7:48 AM UTC today, Balancer V2 Composable Stable Pools suffered an attack. Our team is collaborating with leading security researchers to investigate the cause of the issue and will share more investigation results and a full post-incident analysis report as soon as possible. Since these pools have been running on-chain for many years, many have exceeded their pauseable time window. Currently, all pools that are still pauseable have been paused and are in recovery mode. Other Balancer pools were not affected. This issue is limited to V2 Composable Stable Pools and does not affect Balancer V3 or other types of pools. Security Reminder: There are currently some fraudulent messages online impersonating the Balancer security team; these are not issued by us. Please do not interact with information from such unknown sources or click on any unknown links." According to on-chain analyst Yu Jin, StakeWise recovered 5,041 osETH (US$19.3 million) from the Balancer hacker early this morning through a contract call. Therefore, the assets stolen by the hacker from Balancer have decreased from US$117 million to US$98 million. The hacker has been gradually exchanging LST for ETH, and has now converted more than half of the stolen assets back into ETH. II. Analysis of the Reasons for the Theft Balancer suffered an accounting vulnerability attack. Trading Strategy, Nansen, and Phalcon have each offered their perspectives on this attack. Mikko Ohtamaa, CEO and co-founder of Trading Strategy, pointed out that preliminary analysis suggests a flaw in smart contract checks may be the root cause. Nicolai Sondergaard, research analyst at Nansen, stated that the attacker may have "forged a large deposit into Balancer's fee account, then clicked the withdrawal button, converting WETH into cash—essentially exchanging fake points for real money." Preliminary forensic findings from blockchain security firm Phalcon indicate that the attacker targeted Balancer Pool Tokens (BPT), which represent a user's share in the liquidity pool. According to the company, the vulnerability stems from how Balancer calculates the pool price during bulk exchanges. By manipulating this logic, the attacker distorted internal price information, artificially creating a price imbalance, and thus withdrew tokens before the system could self-correct. Cryptocurrency analyst Adi points out, “Improper authorization and callback handling allowed attackers to bypass security measures. This enabled attackers to conduct unauthorized fund exchanges or balance manipulations in interconnected pools, depleting assets in a short period (within minutes).” Coinbase’s Conor Grogan notes that the attackers’ methods demonstrate professionalism: the attacker’s address was initially funded by 100 ETH from Tornado Cash, meaning these funds likely originated from previous exploits. “People don’t usually deposit 100 ETH into Tornado Cash just for fun,” he says, adding that this is the work of a seasoned hacker.

III. Balancer Attack: How Did the Parties React?

1. Crypto Market Plummets

Affected by the Balancer hack, coupled with the selling pressure from the nearly $100 million stolen assets, the overall crypto market is not optimistic. SOL's 24-hour drop is even close to 10%. As of press time, BTC is at $104,577, down 2.6% in 24 hours; ETH is at $3,506, down 5.6% in 24 hours.

BAL, as the native governance token of the Balancer protocol, also recorded a double-digit drop.

As of press time, BAL was trading at $0.8376, a 24-hour drop of 12.6%.

2. Balancer Forks Affected

Redstone co-founder Marcin tweeted a warning: Balancer forks, such as Beets on Sonic, appear to be affected. According to DefILlama data, in just over an hour, BEX TVL rapidly dropped from $54 million to approximately $41 million, a drop of over 24%.

Furthermore, BEX on Berachain may also be affected, with Beets' TVL of approximately $10 million, a drop of over 30% in half an hour. Sonic officially stated on X that, as the Balancer hack involved the Sonic ecosystem project Beets, as a precautionary measure, the team has deployed a security mechanism planned for implementation in the upcoming network upgrade. Additionally, two wallets related to the hack (0xf19f and 0x0453) have been frozen pending further investigation. Sonic will collaborate with the Beets team to advance subsequent work. The Berachain Foundation stated that validator nodes have coordinated to suspend the Berachain network so that the core team can perform an emergency hard fork to address the vulnerability related to Balancer V2 on BEX. This network suspension is planned, and the network will resume operation shortly. GoPlus also posted on social media that all DeFi projects forking Balancer are affected by this vulnerability, and multiple protocols have been compromised. It is recommended to check the Balancer fork list on the Defillama website, immediately stop interacting with it, and withdraw assets in time to protect yourself.

3. Lido has withdrawn its unaffected Balancer positions

Lido announced that some BalancerV2 pools have been attacked. The Lido protocol is unaffected, and all user funds are safe. Out of caution, the Lido GGV management team, Veda, has withdrawn its unaffected Balancer positions. All Lido Earn funds remain safe.

4. Whale withdraws funds

Affected by the hacker attack, the whale 0x0090, after three years of inactivity, has just awakened after the Balancer attack—urgently withdrawing all $6.5 million from Balancer.

5. Netizen reactions

Content creator PythiaCrypto pointed out: From a legal and security perspective, what else can be done? The only way is to find the stolen funds, freeze them, and then return the money to the victims.

If this can't be done, then there's really no way to hold the thieves accountable or compensate the victims. Some netizens were indignant: "This is one of the vulnerabilities with the most potential for exploitation in history." "After losing 116 million, they still say it has 'potential'? They're insane." "XMR will receive a $110 million injection." "From the Cetus protocol to Nemo Finance, and now Balancer Finance? All of this happened in the same year! Should we be worried about using decentralized finance? This is the 'future of finance,' right?" IV. Eleven Audits Still Lead to Theft: A Look Back at Balancer's Dark History How many audits has Balancer undergone? 11. Suhail Kakar, Head of Blockchain Developer Relations at TAC, stated, “Balancer underwent more than ten audits, and its vault was audited three times by different companies, yet it was still hacked, resulting in losses of up to $110 million. This space needs to understand that ‘audited by X’ is almost meaningless. Code is hard; DeFi is even harder.” According to the Balancer V2 audit list provided on GitHub, four different security companies—OpenZeppelin, Trail of Bits, Certora, and ABDK—conducted 11 audits of the platform's smart contracts, the most recent being Trail of Bits' audit of its stability pool in September 2022. Cryptocurrency analyst Antyzo points out: Skimping on security audits always backfires. The goal is to ensure user funds are safe. Auditing is a fundamental necessity for any DeFi protocol, not an optional expense. UntradenOrg co-founder Rei Soleil notes: The silence of auditors is deafening. PegaX co-founder Neighman points out: Balancer underwent multiple audits and established a $1 million bug bounty, yet still faced this disaster. Security should never be underestimated in this field; it is the most basic requirement. The same applies to on-chain trading platforms. For a long time, Balancer has been considered a conservative choice for liquidity providers, a place to store assets and earn stable returns. Its long history, strict auditing system, and integration with major DeFi platforms have created the illusion that long-term operation equates to security. However, the security breaches of yesterday and today have shattered this notion. Balancer has previously suffered multiple hacking attacks. In June 2020, Balancer suffered a deflationary token vulnerability attack, resulting in a loss of $520,000. The attacker exploited a vulnerability in Balancer's protocol's improper handling of deflationary tokens, borrowing 104,000 ETH from dYdX flash loan and then repeatedly trading between STA and ETH 24 times. Because Balancer did not correctly calculate the actual balance after each transaction, the STA in the pool was eventually depleted to only 1 wei. The attacker took advantage of the severe price imbalance, exchanging a small amount of STA for a large amount of ETH, WBTC, LINK, and SNX. In March 2023, Balancer suffered a loss of $11.9 million due to the Euler incident. Euler Finance was hit by a $197 million flash loan attack. Balancer's bb-e-USD pool, which held Euler's eTokens, was affected, with approximately $11.9 million transferred from Balancer's bb-e-USD pool to Euler, representing 65% of the pool's TVL. In August 2023, Balancer's V2 pool suffered a precision vulnerability attack, resulting in a loss of $2.1 million. Attackers manipulated the supply of BPT (Balancer Pool Token) through precise manipulation, causing errors in the calculation and allowing them to withdraw assets from the pool at an unfair exchange rate. The attack was carried out through multiple flash loan transactions. In September 2023, Balancer suffered a DNS hijacking attack, resulting in a loss of $240,000. Hackers used social engineering to breach the domain registrar EuroDNS, hijacking the balancer.fi domain. Users were redirected to a phishing website that used the Angel Drainer malicious contract to trick users into authorizing transfers. The attackers then laundered the stolen funds through Tornado Cash. In June 2024, Balancer suffered a loss of $6.8 million due to a Velocore hack. Attackers exploited an overflow vulnerability in Velocore's Balancer-style CPMM pool contract, manipulating the fee multiplier to exceed 100%, causing calculation errors. They then stole approximately $6.8 million through a flash loan combined with a carefully crafted withdrawal operation. V. Why Does Balancer Still Have Loyal Fans Despite Frequent Thefts? Even though Balancer has experienced numerous security incidents since its launch in 2020, it still has many loyal users. The fundamental reason is that Balancer is not only a decentralized exchange but also an Automated Market Maker (AMM), supporting multi-asset pools, programmable weights, dynamic fees, and boosted pools. Many DeFi projects and strategies (such as Yearn, Aura, and BeethovenX) directly rely on the Balancer protocol as their underlying liquidity layer. Therefore, even with security incidents, the inertia of these upper-layer protocol ecosystems has maintained a large user base. Secondly, because Balancer is an AMM protocol, it allows users to create and manage custom liquidity pools, supporting combinations of multiple assets and different weight settings. This attracts many professional liquidity providers and traders who can optimize liquidity configurations according to their own strategies to obtain higher returns. Furthermore, Balancer's algorithm can utilize liquidity more efficiently, providing better trading prices and lower slippage compared to traditional AMMs with the same liquidity. This is crucial for users with large and frequent trades, reducing their transaction costs. Sixth, can DeFi still be trusted?

Hasu, Director of Strategy at Flashbots and Strategic Advisor at Lido, stated that Balancer v2, launched in 2021, has since become one of the most watched and frequently forked smart contracts. This is very worrying. Every time a contract that has been online for so long is attacked, it (naturally) sets back the adoption of DeFi by 6 to 12 months.

Circuit Founder and CEO Harry Donnelly called the Balancer data breach a “serious wake-up call” for the DeFi ecosystem, noting that Balancer is “one of the most trusted brands in the space” and an “early pioneer with a compliance culture and strong auditing and public disclosure support.” It is this transparency that has helped Balancer achieve success, but it has also made it more vulnerable to attacks.

“If DeFi is to truly challenge traditional finance, it must stay ahead of malicious actors through proactive resilience and responsiveness, not just passively patching vulnerabilities and freezing funds,” said Vladislav Ginzburg, founder and CEO of OneSource. “Smart contracts and financial engineering are part of the risks of DeFi investment. Therefore, smart contract auditing is crucial. I don’t think the Balancer vulnerability represents a new paradigm, so it shouldn’t change trust or risk factors. The status quo remains unchanged.” Kadan Stadelmann, CTO of the Komodo platform, expressed a similar view, believing that core DeFi users will not be deterred, but institutional investors may be affected. “It is precisely these kinds of hacks in the DeFi space that have led institutional and alternative asset investors to turn to pure Bitcoin strategies.”