Balancer, a historic DeFi protocol on Ethereum, has been hacked with an estimated value exceeding $120 million, mainly involving ETH derivatives like WETH, osETH, and wstETH.
The attack stemmed from a vulnerability in the V2 smart contract, leading to a series of suspicious withdrawals and an emergency hard fork of the Berachain network to contain the damage.
The BAL token dropped over 7%, a modest decline considering a hack of nearly a third of the protocol’s TVL.
Unusual Transfers Detected on the Blockchain
The DeFi protocol Balancer, a cornerstone of the Ethereum ecosystem, has just experienced what appears to be one of the biggest DeFi hacks of the year. Over $128 million in assets has been drained from its vaults, as per the latest on-chain analysis.
It all started in the night when a series of unusual transactions were spotted on the protocol’s main address. Etherscan data reveals massive withdrawals from the wallet “0xBA1…BF2C8” to an external address, primarily in ETH derivatives: WETH, osETH, wstETH.
The Protocol Confirms the Incident
Quickly, the Balancer team addressed the issue on X (formerly Twitter):
We are aware of a potential exploit affecting Balancer V2 pools. Our technical and security teams are investigating with the highest priority.
On-chain analysis services like Cyvers, Nansen, and PeckShield have also flagged these transactions as suspicious, confirming that the attack is ongoing across multiple blockchains where Balancer is deployed.
A Flaw in the V2 Smart Contract
According to Mikko Ohtamaa, CEO of Trading Strategy, the probable cause is a faulty check in a smart contract. Early observations suggest that not all protocol versions are affected, but some V2 forks may share the same vulnerability, raising fears of a final toll exceeding $120 million.
The PeckShield teams mention an active “multi-chain” attack, while significant investors have already reacted. A whale dormant for three years urgently withdrew over $6.5 million from its pools, according to Arkham data relayed by Lookonchain.
Berachain even halted its blockchain to execute an emergency hard fork in response to the hack.
A New Blow to DeFi
Balancer, launched in 2020, is both a DEX and an automated portfolio manager based on Ethereum. With over $350 million in Total Value Locked (TVL) on Ethereum before the incident, the platform was considered one of the sector’s strongest projects.
But this new attack highlights the recurring vulnerabilities in decentralized finance, reminding us that even the most reputable protocols remain susceptible.
The Fall of the BAL Token
The market reacted swiftly: the native BAL token plummeted over 7% in the hours following the initial alerts. A clear sign of wavering confidence, as investors await an official update on the exact extent of losses and potential compensation measures.
DeFi remains a hub of innovation, but also a minefield. Balancer bears the brunt today, underscoring once again that in crypto, code security is worth more than TVL size.
