Balancer code issue losses exceed 100 million, a nearly devastating blow to the DeFi industry

Original Title: "Old DeFi Protocol Falls: Balancer V2 Contract Vulnerability, Over $110 Million in Assets Stolen"
Original Author: Wenser, Odaily Planet Daily

Note: Today, the DeFi protocol Balancer was attacked by hackers, with the scale of stolen funds exceeding $116 million. Several projects have taken self-rescue measures: Lido has withdrawn its unaffected Balancer positions; Berachain has directly announced a network suspension for an emergency hard fork to fix the vulnerabilities related to Balancer V2 on BEX.

In addition, Hasu, Strategic Director of Flashbots and Strategic Advisor to Lido, stated, "Balancer v2 was launched in 2021 and has since become one of the most watched and frequently forked smart contracts. This is very concerning. Every time a contract that has been live for so long is attacked, it sets back the adoption process of DeFi by 6 to 12 months."

The following is the original content:

On November 3, the old DeFi protocol Balancer was reported to have over $70 million in assets stolen. Subsequently, this news was confirmed by multiple parties, and the scale of stolen funds continued to rise. As of the time of writing, the amount of stolen assets from Balancer has increased to over $116 million. This article provides a brief analysis of the incident.

Details of Balancer Theft: Losses Exceeding $116 Million, Mainly Due to V2 Pool Smart Contract Vulnerability

According to on-chain information, the scale of funds stolen by the Balancer attacker has currently exceeded $116 million, with the main stolen assets including WETH, wstETH, osETH, frxETH, rsETH, and rETH, distributed across multiple chains such as ETH, Base, and Sonic, among which:

• · Stolen assets on the Ethereum chain: nearly $100 million;
• · Stolen assets on the Arbitrum chain: nearly $8 million;
• · Stolen assets on the Base chain: nearly $3.95 million;
• · Stolen assets on the Sonic chain: over $3.4 million;
• · Stolen assets on the Optimism chain: nearly $1.57 million;
• · Stolen assets on the Polygon chain: around $230,000.

Crypto KOL Adi stated that preliminary investigations show that the attack primarily targeted Balancer's V2 vault and liquidity pools, exploiting vulnerabilities in smart contract interactions. On-chain investigators pointed out that a maliciously deployed contract manipulated the Vault call during the liquidity pool initialization. Incorrect authorization and callback handling allowed the attacker to bypass protective measures, enabling unauthorized swaps or balance manipulations between interconnected liquidity pools, resulting in rapid asset theft within minutes.

Based on existing information, there is no indication of private key leakage; this is purely a smart contract vulnerability.

Kebabsec auditor and citrea developer @okkothejawa also stated, "The (check error mentioned by @moo9000) may not be the root cause, as in all 'manageUserBalance' calls ops.sender == msg.sender. The security vulnerability may have occurred in transactions prior to the creation of the contract to withdraw assets, as it led to some state changes in the Balancer vault."

The Balancer official team also responded, stating: "The official team is aware of the potential vulnerabilities affecting the Balancer v2 pool. Our engineering and security teams are prioritizing the investigation. We will share verified updates and follow-up steps as soon as we have more information."

Berachain, which faces potential asset damage risks, also responded promptly. After the Berachain Foundation's announcement, Berachain founder Smokey The Bera stated, "The Bera node group has proactively suspended the operation of the public chain to prevent the Balancer vulnerability from affecting BEX (mainly the USDe three pools).

• · Let the Ethena team disable the Bera bridge
• · Disable/pause USDe deposits in the lending market
• · Suspend HONEY token minting and exchange
• · Communicate with CEX and others to ensure the hacker's address is blacklisted

Our goal is to recover funds as soon as possible and ensure the safety of all LPs. The Berachain team will release binaries to relevant node validators and service providers as soon as they are ready (as this pool contains non-native assets, it involves some slot reconstruction, not just modifying the Bera token balance)."

For detailed on-chain information about the Balancer attacker, see: https://intel.arkm.com/explorer/entity/cd756cb8-6a84-4f40-9361-f6c548544430

Balancer Theft: The Most Anxious Are Crypto Whales

As an established DeFi protocol, Balancer's users are undoubtedly the most directly affected by this theft incident. For current users, the actions they can take include:

• · Withdraw funds from the Balancer v2 pool to avoid further losses;
• · Revoke authorizations: Use Revoke, DeBank, or Etherscan to cancel the smart contract permissions of the Balancer address to avoid potential security risks;
• · Stay alert: Closely monitor the next moves of the Balancer attacker and whether it will have a cascading impact on other DeFi protocols.

In addition, a sleeping crypto whale that had been dormant for 3 years attracted market attention during this theft incident.

According to LookonChain monitoring, a dormant crypto whale 0x0090 just awakened after the Balancer platform vulnerability occurred, eager to withdraw its $6.5 million in related assets from Balancer. For on-chain information, see: https://intel.arkm.com/explorer/address/0x009023dA14A3C9f448B75f33cEb9291c21373bD8

Follow-up Developments: Hackers Start Token Exchange Mode

According to on-chain analyst Yu Jin's monitoring, the hacker of the Balancer theft incident has begun attempting to exchange various liquid staking tokens (LST) for ETH. Previously, they exchanged 10 osETH for 10.55 ETH.

On-chain information shows that the hacker is continuously exchanging stolen assets across multiple chains for ETH, USDC, and other assets through Cow Protocol. Currently, the hope of recovering these stolen assets seems bleak.

In the future, whether Balancer can promptly identify the protocol contract vulnerabilities and quickly recover the stolen assets or provide corresponding solutions will be closely monitored.

Original Link