By David, Deep tide TechFlow
The leaks are frequented by nightfalls, when hackers choose to fall。
The old DeFi protocol has been severely damaged in the recent state of the entire encryption market。
On 3 November, chain data showed that the agreement Balancer was suspected of being hacked. Approximately $70.9 million of assets were transferred to new wallets, including 6,850 osETH, 6,590 WETH and 4,260 wstETH。
Subsequently, according to Lokonchain, which monitors the address of the respective wallets, the total amount of damage to which the agreement was attacked rose to $116.6 million。
After the incident, the Balancer team said:
“A leak attack that could affect the Balancer v2 pool has been detected, and its engineering and security team is investigating the incident with high priority and will share verified updates and follow-up measures as more information becomes available. I don't know
In addition, official offers to pay 20 per cent of stolen assets as a white hat reward for asset recovery have been made public and are valid within 48 hours。
The response was timely, but official。
But if you were an old DeFi player, you wouldn't be surprised at the title "Balancer Black," but there's a weird sense of vision。
As an old DeFi agreement, founded in 2020, Balancer has experienced six security incidents in five years, with an average of one hacking reservation per year, the largest of which was stolen。
Looking back at history, it's probably not safe to have arbitrage in DeFi when market conditions make transactions difficult into hell。
June 2020: Deflation currency gap, loss of approximately $520,000
In March 2020, Balancer entered the DeFi world with the innovative idea of "flexible automix as a marketer". In just three months, however, this ambitious agreement was the first nightmare。
The attackers took advantage of the agreement to mistreat deflation token, resulting in a loss of approximately $520,000。
THE GENERAL PRINCIPLE IS THAT AT THE TIME A TOKEN CALLED STA AUTOMATICALLY DESTROYS 1% PER TRANSFER AS A FEE。
The attackers borrowed 104,000 ETH from the dYdX flash loan and then traded repeatedly between STA and ETH 24 times. Because Balancer did not correctly calculate the actual balance after each transfer, the STA in the pool was eventually depleted to just 1 wei. The attackers then took advantage of the severe price imbalance and exchanged a large number of ETH, WBTC, Link and SNX with trace STA。
March 2023: Euler lay-ins, losing approximately $11.9 million
This time Balancer is an indirect victim。
Euler Finance was attacked by $197 million in lightning, and Balancer's bb-e-USD pool was implicated for holding Euler's eToken。
When Euler was attacked, approximately $11.9 million was transferred from the bb-e-USD pool in Balancer to Euler, accounting for 65 per cent of the TVL pool. Although Balancer suspended the pool as a matter of urgency, the loss was irreparable。
August 2023: Balancer V2 pool accuracy gap, loss of approximately $2.1 million
The attack was in fact premonitioned. On 22 August of that year, Balancer voluntarily disclosed the loopholes and warned the users to withdraw the funds, but the attack took place five days later。
The loophole involved a rounding error (rounding error) for V2 Boosted Pool. By means of precise manipulation, the attackers caused a deviation in the calculation of BPT (Balancer Pool Token) supply, resulting in the extraction of assets in the pool at an undue exchange rate. The attack was completed through multiple lightning loan transactions, with different security companies estimating losses ranging from $979 million to $2.1 million。
SEPTEMBER 2023: DNS HIJACKING ATTACK, LOSS OF APPROXIMATELY $240,000
It was a social engineering attack, targeting not smart contracts but traditional Internet infrastructure。
The hackers broke the domain name register, EuroDNS, by means of social engineering, and hijacked the balancer.fi domain name. Users have been redirected to a fishing website that uses Angel Drainer ' s malicious contract to lure users into authorizing transfers。
The attackers then emptied the stolen money through Tornado Cash。
Although this is not by itself Balancer's pot, it is also insinuable to use the contract's brand for fishing。
June 2024: Velocore was hacked and lost approximately $6.8 million
Although Velocore was an independent project, it was stolen with nothing to do with Balancer. But as a part of Balancer's fork, Velocore uses the same CPM-based pool design, which in some ways is consistent, more like theft, but the mechanism is in Balancer。
This time, it was probably the attacker who took advantage of the leak in the Balancer-type CPM pool contract of Velocore to manipulate the fee multiplier (feeMultiplier) to exceed 100 per cent, resulting in an arithmetic error。
The attackers eventually stole about $6.8 million through the Lightning Loans in conjunction with carefully constructed extraction operations。
November 2025: The latest attack, the loss of billions
The technical rationale for the attack has been initially clarified. According to the analysis of the security researcher, the loophole is in the access control check of the ManageUserBalance function in the Balancer V2 protocol, which corresponds to the user permissions。
According to the analysis of the security surveillance agencies Defimon Alerts and Decurity, the system should have checked whether Balancer V2 was the true owner of the account, but the code wrongly checked whether msg.sender (the actual caller) was equal to the op.sender parameters provided by the user itself。
Since op.sender is a user-controlled input parameter, the assailant is free to falsify his identity, bypass the authorization, and perform WITHDRAW_INTERNAL (internal withdrawal)。
It is said that this loophole allows anyone to impersonate the owner of any account and withdraw the internal balance directly. This basic access control error, more like a low-level error, appears in a five-year-old mature agreement, which is amazing。
The hackers will talk to Shishi after reading
What can we learn from this "hacking history"
The author felt that the coded DeFi protocol in the world was more like a "farthing, unobtrusive" view, and that if you really had to look at it, there would have been a lot of technical debt beyond narratives。
Balancer, for example, the old DeFi protocol, which looks at one of its innovations, naturally does not allow the self-defined weight of up to eight tokens to form a hybrid pool。
The complexity of Balancer has increased exponentially compared to the simple design of Uniswap。
For each additional token, the pool's state space expands sharply. And when you try to balance the prices, weights and liquidity of eight different currencies in a pool, the scope of the attack increases. Deflation currency attacks in 2020 and rounding error gaps in 2023 are essentially complex border conditions that are poorly managed。
And even worse, Balancer has chosen a fast iterative path to development. From V1 to V2, to various Boosted Pools, each upgrade is superimposed on the old code. This accumulation of "technical debt" has turned the code bank into a fragile building tower
For example, in this recent attack due to the issue of access, the underlying design error should not be a problem arising from a five-year-old agreement, and perhaps to some extent the maintenance of the project code is out of control。
Perhaps, now that narratives, profits and emotions are greater than technology, it is no longer important whether there are loopholes in the bottom code。
Balancer, of course, will not be the last one, and you never know when the black swans that piled up because of DeFi's combinations will arrive. DeFi's complex web of dependence makes risk assessment almost impossible。
Even if you trust Balancer's code, can you trust it all with partners
For bystanders, DeFi is a novel social experiment; for participants, the theft of DeFi is an expensive lesson; for the industry as a whole, the integrity of DeFi is the cost of school fees that must be paid to mature。
It's just this tuition, I hope it's not too expensive。