The Balancer protocol suffered a sophisticated exploit on November 3, 2025, resulting in the theft of over $100 million in cryptocurrency assets.
The attack targeted Balancer’s V2 Composable Stable Pools across multiple blockchains, including Ethereum, Base, Polygon, Arbitrum, Optimism, and Sonic, marking one of the largest DeFi hacks of the year.
Blockchain analytics firms like PeckShield and Cyvers quickly detected the breach, with losses escalating from initial estimates of $70 million to approximately $128 million as the full scope emerged.
The Mechanics Of The Exploit
The vulnerability stemmed from a flaw in the protocol’s access control mechanisms within the V2 pools, allowing the attacker to manipulate the Stable Math invariant, known as D, which governs pool balances.
This distortion artificially lowered the price of Balancer Pool Tokens (BPT), enabling the hacker to withdraw disproportionate amounts of liquidity without proportional deposits.
Key assets drained included around 7,838 WETH valued at $29 million, 6,341 osETH at $24.8 million, and 4,260 uniETH at $67.8 million, funneled through a series of rapid transactions starting with a mainnet transfer.
Scaling and rounding discrepancies in the smart contracts exacerbated the issue, creating exploitable deviations when operations were repeated in small increments.
Despite Balancer’s history of over 10 audits by top firms and an ongoing bug bounty program, the composable design of these pools intended to enhance liquidity efficiency amplified the risk, as nested interactions between pools facilitated the rapid drainage.
This incident echoes a smaller 2023 exploit that cost the protocol $238,000, underscoring persistent challenges in smart contract security.
Response And DeFi Implications
Balancer’s team swiftly acknowledged the incident around 7:48 AM UTC, confirming the issue was isolated to V2 Composable Stable Pools and pausing affected ones to enter recovery mode.
Unaffected V3 pools and other Balancer products continued operating normally, with the protocol collaborating with security researchers for a full post-mortem.
The exploit’s ripple effects included a 4% drop in the BAL token price and a temporary halt on Berachain’s network for an emergency hard fork to contain linked risks.
As stolen funds moved to suspicious wallets, experts urged users to revoke approvals, monitor transactions via tools like Etherscan, and avoid fraudulent communications mimicking the team’s updates.
This event highlights the fragility of DeFi’s interconnected architecture, where even audited protocols remain vulnerable to novel attacks, prompting calls for real-time auditing and enhanced safeguards.
With over $700 million in assets under management pre-incident, Balancer’s recovery efforts will test the community’s resilience amid growing scrutiny of DeFi security practices.
