The Balancer Decentralized Autonomous Organization (DAO) has issued an onchain notice to the wallet holder responsible for an exploit that resulted in the theft of over $100 million in digital assets this week.
In a post on X (formerly Twitter) on Friday, Balancer shared a copy of the message sent to the individual or group behind the incident, which targeted the platform’s V2 Composable Stable Pools. The decentralized exchange set a deadline of Saturday for the return of the funds, offering an unspecified bounty in exchange. Failure to comply would result in Balancer pursuing "technical, onchain, and legal measures."
"We understand that affected users are awaiting further updates," Balancer stated regarding the exploit. "We will continue to provide information as the investigation progresses."
The exploit, which Balancer first reported to its users on Monday, led to the movement of over $100 million worth of staked Ether (ETH) — including StakeWise Staked ETH (OSETH), Wrapped Ether (WETH), and Lido wstETH (wSTETH) — to a newly created wallet. The hack brought scrutiny to the audits of the exchange’s smart contracts, as reports indicated that four security companies had previously reviewed them.
How Did the Exploit Happen?
According to a post-mortem report released on Wednesday concerning the exploit, hackers utilized a combination of BatchSwaps and the upscale rounding function that impacts EXACT_OUT swaps. This technique was employed to exploit Balancer's v2 Stable Pools and Composable Stable v5 pools.
Cointelegraph reached out to one of the auditors for comment but had not received a response by the time of publication.
Although the onchain message did not specify the exact amount of the bounty, Balancer's team initially indicated it would offer up to 20% of the stolen funds, which amounts to more than $20 million. No one had reportedly accepted the onchain offer at the time of publication.