On November 3, 2025, Balancer, an Ethereum-based decentralized exchange (DEX), was exploited and an estimated $116 million worth of digital assets was stolen.
The incident is one of the biggest hacks of decentralized finance (DeFi) platforms this year. Worst balancer ever. This attack may have affected some of the liquidity deposited at the exchange.
From X’s account, the DEX team confirmed the attack.
We are aware of a potential exploit affecting Balancer V2 pools. Our engineering and security teams are conducting the investigation as a top priority. We will share verified updates and next steps as more information becomes available.
balancer team.
In these DEXs, the “pool” is a smart contract. Pool users’ funds Facilitates the exchange of tokens without intermediaries.
The fact that the exploit affected these pools means that a malicious attacker may have discovered a vulnerability in the contract code. allow its functionality to be changed Regular assets and withdrawn assets.
The leaked funds include wrapped versions of Ether, according to data from security firm PeckShield.
- 6,587 WETH ($24.4 million).
- 6,851 osETH (approximately $27 million).
- 4,260 wstETH ($19.3 million).
- Stablecoins and over 60,000 ERC-20 standard tokens.
At the time of this article, the research platform Nansen On-chainand cryptocurrency trader Ted Pillows were placed The total cost of the hack was $116 million.
Meanwhile, as reported by CriptoNoticias, the price of BAL, the DEX’s native token, Collapsed after balancer hacking.
How was the attack on Balancer, an Ethereum-based DEX, carried out?
According to researchers’ analysis On-chain,attack headed to vault (vault) and liquidity pool Balancer version 2 (V2).
In this protocol, vault These are smart contracts that store the funds of all pools and coordinate exchange operations between pools.
During pool creation or initialization, these contracts perform a series of “calls” to communicate orders between the various components of the system, such as registering new assets or setting liquidity parameters.
An attacker could have deployed a malicious contract such as: intercepted and manipulated those calls Manage changes to expected behavior during the configuration process. vault.
The reason for the failure is as follows How the protocol handled permission to interact between contracts automatic function known as «Callback» (Callback). This allows one contract to respond or perform a task when it calls another contract.
By exploiting a weakness in this mechanism, an attacker could cause the contract to perform unauthorized operations, such as swapping or transferring tokens, without proper validation.
This allowed him to Move funds cascadingly and rapidly between poolseject some of the stored assets before the system or validator reacts.
