💣 Balancer Hack: Over $116 Million Stolen, Major Hit to DeFi Security

On November 3, 2025, the veteran DeFi protocol Balancer was subjected to a massive exploit, resulting in a loss of over $116 million in various digital assets. The attack was executed by exploiting a Smart Contract Vulnerability within the Balancer V2 Vault and its related liquidity pools. The attacker deployed a malicious contract that manipulated authorization and callback processes during pool initialization, enabling unauthorized asset swaps and balance manipulation across interconnected pools on multiple chains.

The stolen assets primarily consisted of Liquid Staking Tokens (LSTs), including WETH, wstETH, osETH, frxETH, rsETH, and rETH. The financial damage was widespread:

Ethereum Mainnet: Accounted for nearly $100 million in losses.

Arbitrum, Base, Sonic, Optimism, and Polygon: Contributed the remaining losses, totaling over $16 million.

This was a pure smart contract exploit, unrelated to private key compromise. The incident sent shockwaves across the DeFi sector, causing systemic reactions. Berachain, a protocol linked to the affected pools, was forced to proactively suspend its public network and coordinate an emergency Hard Fork to patch the Balancer V2-related vulnerability, illustrating the systemic risk of such exploits.

Hasu, a strategic advisor for Lido, voiced significant concern, stating that an attack on a well-established and frequently audited contract like Balancer V2 could set back DeFi adoption by six to twelve months due to a loss of user trust. For users of Balancer, immediate actions included withdrawing funds from unaffected V2 pools and, critically, revoking smart contract approvals (Revoke Authorization) via tools like Revoke.cash or Etherscan to mitigate further potential risks. On-chain analysis indicates the hacker is already attempting to swap the stolen LSTs for more liquid assets like ETH and stablecoins, making recovery unlikely.