Author: Jack Inabinet Source: Bankless Translation: Shan Ouba, Golden Finance

Dissecting the Aftermath of the Balancer V2 Vulnerability Attack

Balancer is a popular decentralized exchange known for its auto-rebalancing liquidity pools and token incentive-based liquidity rewards mechanisms. Recently, its V2 version liquidity vaults were hacked, resulting in losses of tens of millions of dollars.

Many forked versions of Balancer V2 (i.e., alternative exchanges reusing Balancer code) have also been affected, with multiple impacted blockchains taking aggressive measures to mitigate further losses.

Why did this incident trigger a chain reaction in the crypto industry? The following will analyze in detail.

Major Mistake by Balancer

On the early morning of November 3 (Monday), the Balancer V2 vaults deployed on Ethereum, Base, Polygon, and Arbitrum chains were exploited, with nearly $80 million lost. The issue was confined to the “composable stable pools” in V2, and did not affect Balancer V3 or other pool types.

Data analytics platform DeFiLlama shows that Balancer V2 has 27 independent forked versions. Although most forked protocols have negligible locked assets, attackers stole $3.4 million from the Sonic ecosystem’s Beets protocol on Optimism, and $283,000 from Beethoven protocol on Optimism. Additionally, BEX, a native exchange built on Balancer on the Berachain chain, faces approximately $12 million in user funds at risk.

As of writing, Balancer has not released an official post-incident analysis report, but some opinions suggest the root cause lies in a flaw in the access check within the “manageUserBalance” function; others speculate that the attack originated from manipulating the “invariant” of Balancer pool token prices.

Following the attack, users of Balancer and its forked protocols immediately rushed to withdraw assets to protect their holdings. A whale who had been dormant for three years withdrew all $6.5 million worth of GNO-WETH assets from Balancer within 30 minutes of the attack.

To contain the losses, some blockchains took extreme measures—these aggressive actions blurred the line between crisis response and centralized control:

• Polygon’s Balancer V2 deployment lost only about $100,000, but network validators reviewed the hacker’s transactions, effectively freezing the stolen digital assets in place;

• Sonic modified the logic of its native token “S,” granting the Sonic Foundation the unilateral authority to blacklist wallet addresses (prohibiting holding the native token), and emptied the attacker’s S token balance;

• Meanwhile, the entire Berachain network halted block production, pausing block creation to prevent further asset theft at BEX (Berachain’s official native exchange).

Core Questions Raised by Balancer

This Balancer vulnerability attack raises two key questions for the entire crypto industry.

Question 1: If Balancer V2 can be easily attacked, what other DeFi protocols are truly secure?

Balancer V2 is a battle-tested protocol: operating for over four years and having undergone audits by multiple independent firms. Yet, even such a protocol was vulnerable to an attack, prompting the question—what other DeFi protocols can be considered safe?

Undoubtedly, crypto users enjoy the convenience brought by blockchain, but when a foundational DeFi protocol contains vulnerabilities overlooked by numerous audits over years, it becomes increasingly difficult to trust the security of applications built on permissionless smart contracts.

Question 2: If some blockchains have the authority to freeze hacker funds, why can’t regulators compel them to freeze “illegal activities”?

Since blockchains like Polygon, Sonic, and Berachain have the ability to freeze attacker funds, why can’t financial regulators force these (or similarly centralized) blockchains to freeze all activities they deem illegal?

In March 2023, MakerDAO’s frontend Oasis.app (now renamed Summer.fi) followed an order from the High Court of England and Wales, using an administrator key backdoor to access its smart contracts and recover $225 million worth of crypto assets from the Wormhole cross-chain bridge hacker incident.

This event demonstrates that traditional legal systems can compel decentralized protocols to take specific actions through arrests or other legal consequences. Today, could regulators adopt this approach—issuing court orders to target behaviors on multiple chains that they disapprove of (such as ungoverned, anonymous transactions)?