Balancer DeFi Protocol Weakened by Major Attack

Recently, the importance of the decentralized finance (DeFi) protocol Balancer in the cryptocurrency market has increased, and it has once again become the target of an attack. Approximately $110 million worth of digital assets were transferred to different wallets during this event, which drew the attention of investors and resulted in a significant decrease in the price of Balancer’s BAL token.

The attack started with the impact on Balancer’s V2 vaults and quickly spread to the Sonic, Polygon, and Base networks. According to data from Nansen and Lookonchain, among the assets belonging to the attackers are 6,850 osETH, 6,590 WETH, and 4,260 wstETH. Initially estimated at around $70 million, the loss has been reassessed and reported to have risen to $116.6 million.

The attack was found to have originated from an access control error in Balancer’s “manageUserBalance” function. The security analysis tool Decurity noted that due to a logic error in the “validateUserBalanceOp” function, unauthorized users were allowed to withdraw their internal balances using the WITHDRAW_INTERNAL operation. This situation paved the way for attackers to withdraw funds from the vaults uncontrollably.

Following the attack, there has been a value loss of more than 5% in the Balancer (BAL) token over the last 24 hours. While the Balancer team has not yet made an official statement, community members have begun to execute withdrawal operations for their funds in the protocol. The core vault of the protocol holds all the tokens from Balancer's pools in a single smart contract. Although this structure was designed to enhance security in the past, the incident has highlighted how chain risks can impact the entire ecosystem from a single point.

Additionally, Beets Finance, built on the Balancer infrastructure, has also been affected by the attack and has reported a loss of over $3 million from the project. According to DeFiLlama’s data, there are currently over $60 million in locked assets in Balancer V2-based projects, which have also been reported to be at risk.

This incident marks the third major security breach recorded for Balancer following attacks in 2021 and 2023. Considered one of the largest attacks of the year in the broader DeFi ecosystem, this development has once again revealed that decentralized finance platforms still face serious security vulnerabilities.