The recent attack on the Balancer V2 protocol, one of the most solid and recognized platforms in the DeFi ecosystem on the Ethereum network, has abruptly highlighted the risks lurking in decentralized finance. Balancer, known for its role as an automated market maker and for offering efficient liquidity pools, suffered a devastating blow that compromised its reputation and user trust. The Balancer hack, valued at over $128 million, not only affected the funds stored in the protocol but also exposed the fragility of the infrastructure on which many projects that rely on Balancer’s code to operate across different chains are built.
In light of this event, the Balancer case has become a turning point for the DeFi ecosystem. Analyzing what happened in Balancer, how its vulnerability was exploited, and how the Balancer team responded to the crisis is essential to understand the real scope of the incident. This article presents a detailed examination—based on verified information—of Balancer, its historical context, the technical implications of the attack, and the lessons that Balancer and the entire DeFi sector must learn after one of the most significant hacks in recent years.
What is Balancer and why does it matter?
The Balancer protocol emerged as a key component in the decentralized finance universe. From its inception, Balancer stood out for its innovative approach by combining efficiency, autonomy, and flexibility in liquidity management. Balancer’s model consists of a decentralized exchange (DEX) that also functions as an automated market maker (AMM), where prices are determined according to supply and demand within liquidity pools, without intermediaries. Thanks to this system, Balancer positioned itself as one of the most advanced DeFi platforms, offering users the ability to trade freely in a transparent environment programmed through smart contracts.
Balancer’s architecture allows users to deposit assets—such as ETH, staking tokens, or other crypto assets—into liquidity “pools,” receive representative tokens in exchange for their stake, and swap assets directly within those pools. In return for providing liquidity, participants earn fees from trades executed on Balancer, while the protocol itself also takes a fraction of those fees. However, as with other automated market systems, liquidity providers in Balancer assume inherent risks, such as impermanent loss or exposure to vulnerabilities in the smart contracts governing the protocol’s operations.
As an open, modular, and easily integrable liquidity infrastructure, Balancer has been widely adopted and also replicated—or “forked”—by numerous projects seeking to leverage its base code. Today, derivative versions of Balancer operate across multiple networks, demonstrating the protocol’s significant technical influence. However, this same expansion makes Balancer both a reference point and a potential risk hotspot: a vulnerability in Balancer not only affects its own platform but can spread and compromise an entire ecosystem of projects relying on its architecture.
Summary of the attack
On November 3, 2025, Balancer suffered a massive exploit that put its entire infrastructure at risk. The attack directly affected the Composable Stable pools of Balancer V2, resulting in one of the largest losses recorded in the protocol’s history. Preliminary figures estimated losses around $128 million (approximately €118 million) across multiple blockchain networks. This incident marked a turning point for Balancer, which until then was considered one of the most secure and reliable systems in the DeFi ecosystem.
Within the total amount stolen from Balancer, several key figures highlight the attack’s scale:
- 6,850 osETH, a staking-linked token, valued at approximately $26.9 million.
- 6,590 WETH (Wrapped Ether), valued at about $24.5 million.
- 4,260 wstETH (wrapped staked ETH from Lido), with an estimated value of $19.3 million.
The largest volume of losses occurred on the Ethereum network, with approximately $99 million drained from the affected pools. However, the Balancer attack was not limited to this main network: secondary ecosystems such as Arbitrum, Base, Optimism, Polygon, Sonic, Berachain, and Avalanche were also affected, demonstrating the interconnection of Balancer’s code and liquidity across multiple blockchain environments.
Following a rapid internal investigation, the platform confirmed that the exploited vulnerability exclusively affected Balancer V2’s Composable Stable pools, while the latest version, Balancer V3, remained completely intact. This distinction was key to containing panic and preserving part of Balancer users’ trust.
Once the incident was discovered, Balancer’s technical team acted quickly and precisely. Balancer decided to pause all vulnerable pools to prevent further damage, activated “recovery mode” allowing liquidity providers to withdraw funds that had not yet been compromised, and coordinated efforts with cybersecurity and blockchain forensic experts. Additionally, Balancer collaborated with a group of ethical hackers (white hats) who actively participated in tracking malicious transactions, aiming to identify stolen funds flows and recover, as much as possible, part of the lost capital.
Within hours, the Balancer attack became one of the most discussed events in the entire DeFi sector, not only because of the economic magnitude of the damage but also because it revealed technical vulnerabilities in a protocol that had until then been seen as a pillar of security and stability in the decentralized finance universe.
Technical details of the exploit
To understand what happened at Balancer, it is necessary to delve into certain technical aspects of its smart contracts, the mathematical logic of its pools, and how an apparently “small” error turned into a multimillion-dollar hole for Balancer and its users.
1. Balancer V2 Architecture
In V2, Balancer separated the main “Vault” contract, responsible for storing tokens, from the “Pool” contracts, where swap logic is executed. This design improved efficiency and allowed liquidity to be reused across different pools, but it also created a single point of failure if the contracts’ logic was vulnerable. Balancer’s Composable Stable pools mix “stable” tokens such as staked ETH, osETH, and other staking derivatives, which increases complexity and the risk of arithmetic errors.
2. The vulnerability: a rounding error
The exploit that hit Balancer originated from a rounding error in the internal upscale function, used together with batchSwap. This flaw caused scaling calculations for very small balances to lose decimal precision. The attacker exploited this weakness to alter the pool’s “invariant,” artificially reducing the value of certain tokens and draining Balancer funds. By combining hundreds of microtransactions into a single operation, the attacker amplified the error and emptied the reserves within minutes.
3. A multi-chain attack
Due to Balancer’s multi-chain design, the attack spread to networks such as Ethereum, Arbitrum, Base, Polygon, Sonic, Berachain, Avalanche, and Gnosis. Since many projects reuse Balancer V2’s base code, the vulnerability automatically replicated, turning the attack into a systemic problem affecting much of the DeFi ecosystem.
4. It was not a key theft, but a contract bug
The Balancer case was not due to stolen private keys or unauthorized administrative access. It was, in reality, the legitimate exploitation of a logical flaw in the smart contract. Balancer’s code executed exactly what it was programmed to do, but in this case, the result was economically catastrophic.
5. Speed and sophistication
The Balancer attacker acted with precision and speed. Within minutes, tens of millions of dollars were moved across various transactions, using bridges and mixers to conceal the funds’ origin and destination. The speed and sophistication of the attack surprised even security experts, making it clear that Balancer was the victim of a carefully planned and technically flawless operation.
Protocol Reaction and Recovery Efforts
The Balancer team reacted with exemplary speed after confirming the attack, showing the responsiveness that has always characterized Balancer in the face of critical crises. As soon as the vulnerability was detected, Balancer immediately paused all compromised pools—particularly the Composable Stable pools of Balancer V2—and activated “recovery mode,” giving liquidity providers the opportunity to withdraw the remaining funds. At the same time, Balancer announced a reward of 20% of the stolen amount, equivalent to around 20 million euros, as an incentive for ethical hackers to collaborate in the recovery of the stolen assets.
Balancer’s strategy was not limited to technical actions: it also involved close collaboration with forensic investigators, cybersecurity teams, and international authorities to trace the addresses and transactions related to the attack. In parallel, Balancer published a preliminary report detailing the vulnerability, the mitigation measures adopted, and the steps to be taken to strengthen its infrastructure.
The impact of the Balancer attack was so large that other protocols had to act urgently to avoid a domino effect. Several projects that depended on Balancer V2’s code took immediate measures: Berachain temporarily halted its blockchain to execute an emergency hard fork, while Sonic Labs, Gnosis, and Monerium froze addresses linked to the attackers to stop the contagion.
Even so, Balancer achieved some encouraging results thanks to ecosystem cooperation. StakeWise DAO, a Balancer ally, recovered around 19 million dollars in osETH and 1.7 million in osGNO, while other security groups intercepted nearly 600,000 dollars in stolen assets. These partial recoveries demonstrated the effectiveness of the coordinated response and the importance of joint work between Balancer and the DeFi community. However, Balancer still faces the challenge of recovering most of the funds, which remain dispersed across multiple chains and addresses under the control of the attackers.
Impact on the DeFi Ecosystem
1. Loss of trust and liquidity outflow
After the hack, Balancer suffered an unprecedented loss of trust. Balancer’s Total Value Locked (TVL) collapsed by 58%, falling from over 440 million dollars to barely 185 million. Many liquidity providers decided to withdraw their funds from Balancer for fear of new attacks, creating a domino effect that affected not only Balancer itself but also other protocols that share similar structures and code. This collapse highlighted that Balancer’s reputation, built over years, can be shaken in a matter of hours when security is questioned.
2. Audits under review
The Balancer case sparked an urgent debate about the effectiveness of traditional smart contract audits. If a rounding error in Balancer could go unnoticed for years, how many similar vulnerabilities could exist in other widely audited contracts? The Balancer incident suggests the need for more rigorous formal analysis, extreme economic simulations, and automatic pause mechanisms in Balancer pools and other protocols in the event of anomalous behavior.
3. Systemic risk and contagion
Balancer’s vulnerability was not limited to its own infrastructure: it spread to derivative projects that depended on its base code. This contagion effect demonstrated the level of interdependence in the DeFi ecosystem and how Balancer’s “composability,” previously considered its greatest strength, can turn into a serious weakness when a flaw replicates on a large scale. The lesson left by Balancer is clear: protocols must audit not only their own code but also inherited code from projects like Balancer to prevent a single flaw from becoming a systemic risk.
4. Balancer V3 and the path to recovery
The good news is that Balancer V3 was not affected by the attack. This gives Balancer a valuable opportunity to rebuild its reputation and migrate liquidity toward a more secure infrastructure. Balancer’s roadmap now involves fixing errors, reinforcing transparency, and regaining users’ trust. However, Balancer will need to implement communication strategies and new incentives to attract back lost liquidity and reactivate its ecosystem.
5. Lessons for users
The Balancer case leaves practical lessons for all users in the DeFi environment. Liquidity providers should remember that even a prestigious protocol like Balancer is not exempt from risks. It is essential to diversify funds, revoke permissions from inactive contracts, and periodically review audits and contract versions in use. Additionally, participants in Balancer and other DeFi protocols must understand that, ultimately, the responsibility for risk always lies with the user, regardless of the project’s prestige or longevity.
The Balancer case represents much more than a simple hack within the DeFi ecosystem: it is a warning about the dangers of interconnectivity, excessive trust in open-source code, and the lack of deep mathematical audits. Balancer, which for years was a symbol of innovation and efficiency in automated liquidity management, has shown that even the most advanced protocols can be vulnerable if constant oversight does not exist. The Balancer attack revealed the limits of decentralization when security does not keep pace with technology. In a matter of minutes, Balancer went from being a model of stability to an example of systemic risk, making it clear that in DeFi, reputation does not replace protection.
Even with the losses suffered, Balancer has shown resilience. Its technical team, allied developers, and the Balancer community have mobilized to rebuild trust and strengthen the architecture of Balancer V3, demonstrating that the protocol’s foundations remain solid. However, this episode forces the entire industry to reflect on the need for better practices, automatic contract reviews, and collaboration among companies to prevent similar incidents. The lesson Balancer leaves is clear: security is not a luxury but a continuous obligation that must evolve at the same pace as innovation.
The Balancer story should serve as a guide for any project or company operating in the blockchain environment. In a world where the speed of technological development often surpasses the ability to respond to threats, having strategic cybersecurity partners is crucial. If your company wants to strengthen its systems, audit its smart contracts, or improve the security of its DeFi infrastructure, ITD Consulting can help. Write to us at [email protected] and discover how our team can protect your projects before the next “Balancer case” occurs.
EN 
ES