Balancer Attacker Begins Swapping Stolen Funds for ETH

Balancer, a decentralized finance (DeFi) platform previously regarded for its security, is currently grappling with a significant crisis following an exploit that resulted in losses exceeding $116 million across multiple blockchain networks. The incident, which initially involved around $70 million in stolen assets, escalated as the attacker moved funds between chains and converted them into Ethereum (ETH). Within an hour, Balancer, a protocol known for its stability, joined the growing list of DeFi platforms targeted by sophisticated smart contract hacks.

According to data from the blockchain analytics platform Lookonchain, the perpetrator began swapping the pilfered tokens for ETH shortly after the exploit commenced. Lookonchain reported, "Note that the Balancer hacker is now swapping the stolen assets for $ETH." The total value of the stolen funds climbed to $116.6 million before the activity began to subside. The attack primarily targeted wrapped ETH and other staked derivatives across various blockchain networks.

Vulnerability in Balancer V2 Pools

Balancer officially confirmed the incident on X (formerly Twitter), acknowledging a "potential exploit impacting Balancer v2 pools." The platform stated that its engineering and security teams were actively investigating with high priority and would release verified updates promptly. Despite the team's efforts, the announcement did little to alleviate investor concerns, leading to a surge in withdrawals from integrated services and protocol forks.

Blockchain investigators pinpointed the exploit's origin to a flaw within Balancer's smart contract interactions. According to on-chain analyst Adi, "Improper authorization and callback handling allowed the attacker to bypass safeguards. This enabled unauthorized swaps or balance manipulations across interconnected pools." Adi further explained that Balancer's composable architecture amplified the exploit's impact, facilitating the rapid draining of assets.

Initial data from Lookonchain indicated that the attacker transferred substantial quantities of WETH, osETH, and wstETH. Specifically, approximately 6,587 WETH valued at $24.46 million, 6,851 osETH valued at $26.86 million, and 4,260 wstETH valued at $19.27 million were stolen. The on-chain portfolio associated with the Balancer exploiter is currently valued at around $90.5 million, reflecting a 6.6% decrease in 24 hours, attributed to the broader market downturn, according to data from Arkham.

StakeWise Recovers Stolen Tokens

Amidst the unfolding crisis, the Ethereum staking protocol StakeWise announced the successful recovery of a significant portion of the stolen osETH and osGNO tokens. The StakeWise DAO emergency multisig executed a series of transactions, recovering approximately 5,041 osETH (valued at $19 million) and 13,495 osGNO (valued at $1.7 million). The recovered funds, representing 73.5% of the stolen osETH, will be distributed to affected users on a pro-rata basis.

StakeWise's prompt action helped to mitigate some market fears regarding the potential dumping of large volumes of ETH into circulation. Analysts suggest that this partial recovery could contribute to stabilizing ETH's short-term price outlook. As of Tuesday, ETH was trading at approximately $3,500, a decrease of 23% from Monday, according to CoinMarketCap data.

Balancer's Struggles Continue

Data from DeFiLlama indicates that the total value locked in Balancer has decreased to approximately $355.68 million, a significant drop from its peak of $3 billion in 2021. This decline reflects the gradual outflow of funds from the platform over time, influenced by various security incidents. Despite these challenges, Balancer remains an active protocol, processing around $2.81 billion in trading volume over the past month and generating an estimated $10.7 million in annual revenue.

Crypto commentator Haseeb observed the varied responses from different blockchain networks to the hack. He noted, "Berachain had validators halt the network. Polygon validators censored hacker transactions. Sonic added functionality to freeze & zero out the hacker’s account." He added, "Smaller ecosystems should prioritize safety and community protection over ‘code is law.’"

Audit Gaps Expose Balancer's Weakness

Concerns regarding Balancer's security posture have been amplified by the fact that the platform has not undergone a major audit since 2022. While Balancer maintains a bug bounty program on Immunefi offering up to 1,000 ETH for critical smart contract vulnerabilities, this program does not cover web interface issues. Although past audits conducted by Certora, OpenZeppelin, and Trail of Bits are publicly available, implementing fixes for immutable contracts on Balancer often necessitates redeployment.

In October 2022, Balancer launched the Balancer Certora Security Accelerator, aimed at supporting projects with verification tools and providing $10,000 in credits. However, the recent exploit has renewed calls for regular audits and more robust defenses to safeguard user funds.

Why This Matters

The Balancer hack underscores the inherent fragility of even the most established DeFi systems. The interconnected nature of these platforms, linking numerous pools and tokens, enhances their functionality but also increases their vulnerability when security flaws are exploited. Even with audits and security reviews in place, critical vulnerabilities can still emerge. Once exploited, hackers can rapidly move stolen funds across multiple blockchains, leaving development teams with minimal time to react or recover the assets.

For Balancer, this breach represents a critical juncture. The team now faces the significant challenge of demonstrating its capacity to learn from this failure and regain user trust. While StakeWise's recovery efforts offer some reassurance, the protocol's reputation has undoubtedly been damaged. Rebuilding confidence will require transparent communication and demonstrably stronger security measures, rather than superficial solutions.