Balancer V2 Loses $128 Million in Major DeFi Hack

On November 3, 2025, Balancer, one of the oldest and most trusted decentralized finance (DeFi) platforms, fell victim to a massive hack that drained over $128 million from its users.

The hack began at 7:48 AM UTC on Monday morning. Attackers managed to steal approximately 6,587 WETH (worth about $24.5 million), 6,851 osETH (worth $26.9 million), and 4,260 wstETH (worth $19.3 million) along with other tokens. The stolen funds were quickly moved to newly created wallets controlled by the hackers.

How the Attack Worked

Security researchers discovered that the hackers exploited a critical flaw in Balancer V2’s smart contract code. The vulnerability existed in a function called “manageUserBalance,” which is supposed to control who can move funds within the system. According to blockchain security experts, the attacker took advantage of a faulty access check that confused two different sender identities, allowing unauthorized withdrawals.

The attack method was highly sophisticated. Hackers deployed malicious smart contracts and created fake tokens to manipulate the prices of real tokens in Balancer’s liquidity pools. They exploited tiny rounding errors in the system’s calculations, using multiple swaps in a single transaction to amplify these small discrepancies into massive price distortions. This allowed them to drain liquidity from the pools at wildly favorable exchange rates.

Source: @Balancer

What makes this attack particularly concerning is the level of planning involved. Blockchain data shows the attacker carefully prepared for months, funding their account through Tornado Cash using small deposits of 0.1 ETH to hide their tracks. This methodical approach suggests the work of a highly skilled and experienced hacker, possibly with connections to previous crypto exploits.

Multiple Blockchains Hit Hard

The damage wasn’t limited to just one network. Because Balancer operates across multiple blockchains, the hack spread rapidly. Ethereum suffered the worst losses at $99 million. Other networks also took significant hits: Berachain lost $12.86 million, Arbitrum lost $6.86 million, Base lost $3.9 million, Sonic lost $3.44 million, Optimism lost $1.58 million, and Polygon lost $232,000.

The ripple effects extended beyond Balancer itself. Several projects that had copied Balancer’s code (called “forks”) also became vulnerable to the same attack. Beets Finance reported about $3 million in affected funds, and Beefy Finance paused all products connected to Balancer V2 as a safety measure.

In a controversial move, Berachain validators completely halted their blockchain network and executed an emergency hard fork to protect an estimated $12 million in user funds. This decision sparked debate in the crypto community, as many believe that stopping and reversing blockchain transactions goes against the core principles of decentralization.

The Audit Question

Perhaps the most troubling aspect of this hack is that Balancer V2 had been audited more than 10 times by top security firms including OpenZeppelin, Trail of Bits, Certora, and ABDK. These audits took place between 2021 and 2023, yet the vulnerability still slipped through.

This failure has raised serious questions about the effectiveness of security audits in the DeFi space. Suhail Kakar, a blockchain researcher, said on social media: “Balancer went through 10+ audits. The vault was audited three separate times by different firms still got hacked for $110M. This space needs to accept that ‘audited by X’ means almost nothing.”

Security experts now argue that static code audits are no longer sufficient. Instead, DeFi platforms need continuous, real-time monitoring systems that can detect suspicious activity before funds are drained.

Market Impact and Recovery Efforts

The market reacted swiftly to the news. Balancer’s native BAL token fell 11.1% to $0.87, and the protocol’s total value locked plummeted from $776 million to $406 million within 24 hours. This massive outflow shows how quickly users lose confidence when security is compromised.

Balancer’s team responded by offering the attacker a deal: return all the stolen funds and keep 20% as a “white hat bounty” (worth roughly $25.6 million). The team gave the hacker 48 hours to accept and warned they would work with law enforcement and blockchain forensics specialists if the funds weren’t returned.

There has been some success in recovery efforts. StakeWise, one of the affected protocols, managed to recover approximately $19 million in osETH tokens and $1.7 million in osGNO tokens from the exploiter. This represents about 73.5% of the osETH that was stolen. The recovered funds will be returned to affected users based on their pre-attack balances.

The Bigger Picture

This hack fits into a troubling pattern for 2025. More than $2 billion in cryptocurrency was stolen by hackers in the first half of the year alone, with total losses now exceeding $2.2 billion. Most of these funds have been traced to hackers allegedly connected to North Korea’s government, which uses crypto theft as a key revenue source for its weapons programs.

While there’s no confirmed attribution for the Balancer hack, the sophisticated planning and execution bear similarities to attacks carried out by the infamous Lazarus Group, a North Korean state-sponsored hacking organization known for extensive preparation before major heists.

Balancer confirmed that only V2 Composable Stable Pools were affected, and that Balancer V3 and other pool types remain secure. The team is working with security researchers to produce a detailed post-mortem report and has warned users about fake messages circulating that impersonate Balancer’s official communications.

When Trust Breaks Down

The Balancer exploit serves as a wake-up call for the entire DeFi industry. Despite being one of the most established and audited protocols, it still fell victim to a devastating attack. This incident proves that even extensive security measures don’t guarantee protection, and that the crypto space must evolve beyond current practices to stay ahead of increasingly sophisticated hackers. The question now is whether the industry will learn from this failure and implement the real-time monitoring and layered security systems needed to prevent the next major breach.