The decentralized finance protocol Balancer confirmed late Monday that an exploit drained more than $116 million from its V2 Composable Stable Pools, marking one of the largest decentralized finance breaches of the year.
In an official post on X, the Balancer team stated that the attack occurred around 7:48 AM UTC and exclusively affected its V2 Composable Stable Pools, an older version of the protocol launched in 2021. The team indicated that "any pools that could be paused have been paused and are now in recovery mode," and further clarified that Balancer V3 and other pools remain unaffected.
This announcement followed hours after blockchain investigators and security analysts raised concerns about the incident.
Lookonchain estimated that the total stolen funds had risen to $116.6 million, distributed across multiple networks including Ethereum, Polygon, and Base.
Other analysts, such as OnchainLens, confirmed that the attacker had started moving the stolen funds, leading to concerns that the assets might soon be laundered through secondary DeFi platforms.
Code Flaw Across Multiple Networks
Preliminary findings suggest the attacker exploited a long-standing flaw in Balancer V2’s “manageUserBalance” function. This function is responsible for determining which addresses can initiate fund transfers during contract execution.
According to independent developer Suhail Kakar, the function misidentified the message sender, effectively granting attackers permission to move assets without proper validation.
This flaw, situated within Balancer’s shared vault system, enabled the exploiter to drain funds linked across several blockchains.
The stolen tokens included 6,850 osETH, 6,590 WETH, and 4,260 wstETH, among other assets. Security firm Cyvers described the incident as “suspicious” early on the morning of the exploit.
Balancer Offers 20% Bounty
In response to the exploit, Balancer sent an on-chain message to the attacker, proposing a 20% white-hat bounty for the return of the remaining funds. The team stated that this offer would expire within 48 hours unless extended.
The wider repercussions have impacted several projects. Beets Finance, a protocol built on Balancer’s infrastructure, confirmed losses exceeding $3 million and indicated that approximately $60 million in assets remained at risk until a full remediation could be achieved.
At its peak, Balancer managed around $700 million in total value locked, according to DefiLlama. This breach represents a significant blow to one of the most established automated market makers in DeFi.
Another Day, Another Exploit
The Balancer exploit occurs just months after the team launched Balancer V3, which was promoted as a more secure and modular upgrade.
Analysts have pointed out that a recent website hijack, where hackers stole $238,000 in crypto by mimicking Balancer’s official frontend, further underscores the protocol's ongoing security challenges.
The firm reiterated its warning to investors and users to avoid unofficial links or messages, advising that only updates shared via its verified X account and Discord server should be trusted.
As Balancer collaborates with auditors and law enforcement to investigate both the $116+ million exploit and the more recent website breach, the community remains on edge.
Ongoing DeFi Security Gaps
The Balancer exploit and the subsequent website hijack have reignited a long-standing debate within decentralized finance: the balance between open, permissionless systems and the security of billions in user assets.
The sector's promise of open, permissionless systems continues to be challenged by recurring vulnerabilities stemming from human error and code exploits.
As developers strive for greater automation and transparency, these recent incidents highlight the practical limitations of "trustless" systems. Without enhanced recovery tools and unified security standards, DeFi's credibility risks erosion due to the very openness that initially made it revolutionary.