Balancer, a decentralized finance (DeFi) protocol with over $750 million in value locked, appears to have been hit by its biggest exploit yet, with on-chain data showing upward of $110 million in digital assets drained to a new wallet.
The affected funds include 6,850 osETH, 6,590 WETH, and 4,260 wstETH, blockchain data analyzed by CoinDesk showed, and seemed to impact vaults on Balancer version 2 (V2).
Further analysis shows various vaults were also impacted and drained across Sonic, Polygon and Base.
How the attack took place
The attack occurred due to a faulty access control in its “manageUserBalance” function, according to security tool Decurity.
The vulnerability stemmed from validateUserBalanceOp, which checks msg.sender against a user-supplied op.sender, a logic flaw that allows unauthorised withdrawals through the UserBalanceOpKind.WITHDRAW_INTERNAL operation.
In effect, this means attackers could trigger internal balance withdrawals from Balancer’s smart contracts without proper permissions.
Loading…
The exploiter’s address has already begun consolidating assets, raising concerns about potential laundering through decentralized mixers or cross-chain bridges.
Balancer’s BAL token has slumped over 5% since its Monday peak, CoinGecko data shows.
The team has not yet issued an official statement, although this marks the third known security breach for the project, following incidents in 2021 and 2023 that collectively cost millions.
The vault is Balancer’s core smart contract, where all tokens from every Balancer pool are actually held. Instead of each pool managing its own funds, everything routes through this single contract.
The design, first introduced in Balancer v2, separates token accounting (from pool logic (how swaps, liquidity adds, and withdrawals work). This makes pools smaller, simpler, and safer to build, and anyone can plug in a new pool design without creating a whole new DEX.
That design appears to be also affecting services built on top of Balancer, as the fork project Beets Finance confirmed it was also impacted, resulting in over $3 million in losses.
There is more than $60 million locked on services built atop Balancer V2, DefiLlama shows, opening the funds to potential risk of getting drained if the protocols have not installed additional security measures to mitigate risks in case the mother contract gets exploited.
UPDATE (Nov. 3, 9:17 am UTC): Updates headline and story throughout to add new exploit value and more context on how the attack happened.