One of the decentralized finance (DeFi) sector’s longest established exchanges, Balancer, has suffered an ongoing smart contract hack, with losses totalling $129 million so far.
The exploit, which hit the exchange’s v2 liquidity pools on multiple blockchains, also reportedly affected projects which had “forked” Balancer’s code.
Just over two hours after the attack began, Balancer acknowledged the incident, stating it was “aware of a potential exploit impacting Balancer v2 pools.”
Read more: EXCLUSIVE: ‘Code is Law’ documentary explores the void between DeFi and law
First launched in the run-up to 2020’s DeFi summer, Balancer’s v2 later expanded on the existing “constant product” model of automated market makers (such as Uniswap and Bancor) by introducing multi-asset and weighted liquidity pools.
Other large DeFi projects such as Aave and Lido have reassured users their tokens’ pools aren’t affected.
Lido and Flashbots’ Hasu remarked that Balancer’s v2 “is one of the most looked at and forked smart contracts since. It’s very scary.”
According to a preliminary analysis from Blockchain security auditor Decurity, the “manageUserBalance” function contains a “faulty access check” which allows the hacker to withdraw funds.
It notes that, additionally, “the Vault’s internal balance (_internalTokenBalance) was manipulated before the withdrawal.”
1inch’s Anton Bukov suspects exploitation of a rounding error.
Balancer previously fell victim to a $2 million hack in August of 2023 due to a “rate manipulation” vulnerability in its Boosted Pools.
The following month, it warned users of a front-end compromise. In March of 2023, $11 million of Balancer pool funds were drained during the hack on lending protocol Euler.
Read more: $25 million Ethereum MEV exploit puts ‘Code Is Law’ on trial
Cross-chain catastrophe
The exploit affected Balancer pools on multiple blockchains, with losses reported on Ethereum, Berachain, Arbitrum, Base, Sonic, Optimism and Polygon.
Berachain announced that “validators have coordinated to purposefully halt the Berachain network as the core team performs an emergency hard fork.”
DeFi data dashboard DeFiLlama lists 27 projects as forks of Balancer’s v2 code, with a combined total value locked (TVL) of $78 million. Beets, a Balancer fork on Sonic, was reportedly hacked for $3.4 million.
As the losses mounted, a Polymarket bet on whether the crypto community would see another hack with over $100 million in losses before the end of the year jumped from approximately 25% likelihood to over 99%.
The incident is ongoing and this article will be updated to reflect any major developments.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
The liveblog has ended.
No liveblog updates yet.
Load more
Source: https://protos.com/live-updates-balancer-exploit-drains-129m-in-defi-disaster/
