Ethereum-based DeFi protocol Balancer has been hit by a major exploit, resulting in approximately $120 million stolen across different chains. Balancer hard forks may be impacted, while projects tapping into Balancer’s services also feel the pain. In this article we take a look at the exploit, and tell you what you can do to protect yourselves.
Before we dive into the Balancer exploit, let’s first talk about the importance of Balancer in the wider DeFi ecosystem.
Balancer is among the oldest DeFi protocols, and fundamental to the ecosystem. Launched in 2020, Balancer is a decentralized protocol built on Ethereum and compatible with various EVM chains, functioning as an automated market maker (AMM) and portfolio manager. It empowers users to create customizable liquidity pools that go beyond the traditional 50/50 splits seen in other AMMs like Uniswap. Instead, Balancer allows pools with up to eight different tokens, each with adjustable weights. This flexibility turns Balancer into more than just a DEX; it’s like an automated index fund for crypto.
This makes Balancer a foundational pillar driving DeFi’s evolution. With total value locked (TVL) metrics often highlighting its prominence among top protocols, Balancer has consistently ranked in user activity and innovation charts. Its importance stems from solving key pain points in liquidity provision: inefficiency and rigidity. By enabling weighted pools, it reduces impermanent loss for LPs and provides deeper liquidity for traders, making DeFi more capital-efficient overall. It’s influenced the growth of yield farming, liquidity mining, and even inspired forks and integrations across the space, while Balancer also supports upcoming ecosystems such as Base.
Balancer metrics before the hack
At the time of the hack, Balancer had over $626 million stored in its smart contracts. This value was stored across a variety of chains, including Ethereum, Polygon, Optimism, Arbitrum, and Base. In addition, the DeFi protocol supports smaller chains, such as Berachain, Gnosis and Fraxtal.
Looking at the tokens stored into its contracts, various forms of staked ETH stand out. In addition, 18.2% is $AAVE, which may place a target on the back of the leading lending protocol.
On a normal day, Balancer sees approximately 800 wallets engage with its smart contracts. On the day of the exploit that number already increased to more than 1,280 unique active wallets. This suggests that users are trying to safe their liquidity.
Balancer metrics after the hack
24 hours after the Balancer V2 pools were exploited, the DeFi protocol now has $338.6 million in Total Value Locked (TVL). That’s a 46% drop. The drop is consistent across every chain supported by Balancer.
Looking at the token still stored in the Balancer contracts, we see that only $AAVE was hardly impacted. For example, $wETH dropped from $78 million to currently $27 million. At the same time $wstETH plunged from $53 million to $28 million. These liquid staking tokens have all seen a 65%+ drop in liquidity, as it was stolen by the hacker.
In the past 24 hours since the hack, 1,290 unique active wallets engaged with Balancer. That’s a 60% increase from any normal day. More shocking is that the incoming volume into the platform dropped 92% to $154 million. This shows that the protocol has damaged its reputation and currently trust is at a low level.
Let’s take a look at the events that happened…
Balancer exploit timeline
- November 3, 07:48 UTC – Balancer Exploiter transfers 6,587 $wETH, 6,851 $osETH, and 4,259 $wstETH to a new wallet. (Etherscan)
- November 3, 08:18 UTC – Balancer moderator confirms the exploit. Confirms V2 pools affect, while V3 pools are safe. (X.com/Romanson00)
- November 3, 08:48 UTC – Nansen dives into the size of the exploits and reveals $70.9 million stolen (X.com/Ghazwanali18)
- November 3, 09:06 UTC – Attacker continuous operations across multiple chains, amount increased to $110 million (SpecterAnalyst)
- November 3, 09:10 UTC – Peckshield and LookOnchain confirm breach with transaction details, losses increased to $116 million. Users advised to revoke approvals. (Coinpedia)
- November 3, 09:17 UTC – Coindesk reports on the hack, and mentions that $BAL lost 5% of value since the hack was uncovered. (Coindesk)
- November 3, 09:39 UTC – Balancer team issues first official statement, acknowledging the attack. Engineering and security teams prioritize investigations. (Balancer)
- November 3, 10:02 UTC – Balancer offers 20% white hat bounty on the stolen assets with 48 hours validity in an effort to encourage return of funds. (Bitget)
- November 3, 10:08 UTC – Community issues warnings as 27+ Balancer forks my face similar issues as Balancer. (DDimitrovv22)
- November 3, 10:11 UTC – Berachain validators halt the network and execute emergency hard fork to recover affected funds from Balancer-related exploit on BEX. (Berachain)
- November 3, 11:02 UTC – Main exploiter wallet contains $95 million, and total losses now surpass $120 million. (WaleSwoosh)
- November 3, 11:40 UTC – Hacker may have used AI tools to perform the hack as they added console logs, suggesting ‘vibe coding’. (AdiFlips)
- November 3, 13:13 UTC – Hack mechanics unveiled: Attackers spoofed withdrawals using WITHDRAW_INTERNAL, bypassing sender checks. They used flash loans and some manipulation to print cheap tokens, drain liquidity, and exit the platform clean. (Famous0x3)
- November 3, 15:29 UTC – Web3 Is Going Just Great logs the hack at least at $110 million, and marks the incident as the biggest DeFi hack of 2025 so far. (Web3isgreat) (They forgot about Cetus Protocol on Sui. -ed.)
- November 3, 15:59 UTC – Sonic Labs freezes the wallet of the attacker. There’s criticism on this as well. (NoaNuman)
- November 3, 16:21 UTC – Stablecoin xUSD from Stream Finance has depegged as the result of market uncertainty surrounding the Balancer DeFi hack. This happened while Stream Finance has been the centre of controversy earlier over recursive mint mechanics. (Omer Goldberg)
- November 3, 19:00 UTC – Stream Finance and their liquidity crisis results in approximately $93 million in losses and suspended withdrawals at StreamDeFi. The vulnerabilities cascade to protocols like Euler, Morpho and Silo. (MarcosBTCreal)
- November 3, 17:45 UTC – Balancer TVL dropped from $815 million to currently $388 million. (DeFiLlama) That drop isn’t only done by the hacker, but also by other Web3 users removing their liquidity to protect their positions.
- November 4, 07:57 UTC – Curve Finance expressed support for Balancer, analyses the exploit, and advises DeFi projects to double-check math logic and design for error forgiveness. (Curve)
- November 4, 08:05 UTC – Berachain is distributing the hard fork binary to validators to patch the Balancer V2 vulnerability and resume operations. (The Block)
- November 4, 08:11 UTC – Reports confirm that Balancer has recovered $19.3 million through a contract call white-hat counter-exploit, shortly after the hack took place. (Crypto News)
- November 4, 08:30 UTC – Sonic Labs has frozen two wallets from the attacker, and announced a security upgrade. The team works with the teams from Balancer and BeetsFi to trace impacted assets. (KyleDoops)
- November 4, 08:52 UTC – Gaming DEX on Oasys announced no impact from the Balancer hack, despite being a V2 fork. Gaming DEX avoids composable stable pools and operates in a permissioned environment. They’re safe. (GamingDEX)
- November 5, 16:12 UTC – Balancer publishes a preliminary post-mortem report confirming the nature and mechanics of the $116 million exploit. The team explains how the attacker manipulated the rounding function in EXACT_OUT swaps and offers a 20% white-hat bounty for the return of the stolen funds. Balancer also reports partial recovery, with 5,041 osETH (≈$19M) and 13,495 osGNO (≈$2M) frozen or recovered through partner support. (Balancer)
How to protect yourself against the Balancer exploit?
Web3 can be liberating for some, but this ecosystem also comes with a wide range issues. Now that Balancer has been exploited, you should make sure that you’re not exposed to the aftermath. That’s why we’ve compiled a list of tips for you, to help you navigate this treacherous incident a bit easier.
- If you’ve got money in V2 pools on Balancer, make sure to withdraw your funds. If your pool already has been affect, refrain from engaging with it.
- Instead revoke your approvals for smart contracts on Balancer using Revoke.cash or the KwikClaim tool that we have linked in your Portolio page.
- It’s also an idea to look at Balancer V2 forks, and remove your liquidity there while also revoking smart contract access. Among the forks are Hexagon Finance on Avalanche, HoldrFi on Aurora, PHUX on PulseChain, Jellyverse, KLEX Finance, BeetsFi and many more. (Full list of forks on DeFiLlama)
- Keep your eyes on the Balancer X account, and follow LookOnchain and PeckShieldAlert.
Closing words
During this calendar year, more than $9 billion has been stolen already through hacks and exploits. The Balancer exploit has been among the most prominent ones, only outshined by the $1.4 billion Bybit exploit, the $286 million Libra meme token scam, $330 million in Bitcoin phishing, the $260 million Cetus Protocol hack, and the $5.5 billion Mantra exploit. Updated loss figures suggest over $128 million was stolen across chains, while Ethereum was hit the hardest with $99 million lost. We will keep updating this article as the story develops.
