by Frank, PANews
On 3 November, the sky of the DeFi world was ripped open. The old DeFi agreement Balancer has an abnormally large transfer of funds. In the hours that followed, the entire industry witnessed a real-time disaster, with damaged funds rising from the $70 million originally reported to $116.6 million, ultimately stabilizing at an alarming figure of $128.64 million。
Behind the huge amount of damage is the fact that the Balancer V2 agreement has as many as 27 “ the fork-off agreement ” and they are equally exposed to the systemic risks posed by this long-standing lethal loophole。
Balancer V2 was hacked and $128 million stolen
On 3 November, security company shield on the chain noticed an unusual transfer to the Balancer V2 vault. A large number of WETH and flow-based derivatives (wstETH, osETH) were transferred to a new wallet。
Subsequently, the Balancer team quickly confirmed that there had been a chain attack and that, as the chain continued to be monitored, the amount of damage eventually counted had reached $128 million. According to the Balancer team, the range of the attack was restricted to the V2 composing stabilizers. Its newer V3 architecture and other V2 pool types (e.g. weight pool) are not affected。
As at 4 November, the Balancer team had yet to disclose the specific reasons for the attack. However, according to the analysis of various security companies and chain analysts, the root of the attack was one “ defective access control check ” and partial access-control check。
The assailant sent a maliciously constructed instruction to the vault by calling the manageUserBalance function of the V2 protocol. The directive defrauded the internal books of the agreement to convince them that “ the agreement just charged a large fee ” and “ the ownership of the fee belongs to the assailant ” Subsequently, the attackers transferred large amounts of assets to their own accounts using normal withdrawal requirements。
FROM A TECHNICAL POINT OF VIEW, THE COMPLETION OF THE ATTACK WAS NOT SO MUCH ABOUT TECHNICAL CAPABILITY AS IT WAS ABOUT THE ATTACKER MAKING A CLEVER USE OF THE LOGICAL LOOPHOLES IN THE AGREEMENT. ACCORDING TO ANALYSTS, HACKERS LEFT THEIR CONTROL DESK LOGS DURING THE ATTACK AND, IN THE LIGHT OF TRACES OF HABIT, IT WAS LIKELY THAT THE HACKER HAD USED THE LARGE AI MODEL TO DEVELOP AND REVIEW CODES, THUS IDENTIFYING THE MISSING DEFICIENCIES OF THE HUMAN AUDITOR。
27 forklift agreements “ lying gun ” and start-up of emergency measures across chains
The industry is truly disappointed by the fact that Balancer V2 has not been able to identify this loophole after 11 audits of four different security companies: OpenZeppelin, Trail of Bits, Certora and ABDK。
Most ironically, this particular component of the & ldquo; Stable Pool & rdquo; (Composable Stable Pool) was specifically audited by Certora and Trail of Bits in September 2022。
As a DeFi agreement that has been on the line for many years and appears to have been market-tested, the Balancer V2 agreements have developed as a template up to 27 “ the Fork Agreement ” and they have all inherited the logical loophole of Balancer V2. For hackers, the loophole is like the possession of a universal key that can open the vaults of &ldquao, which have the same defective code at any time。
In fact, this hacker attack has spread up to the chain. Of these, Balancer V2 (Main Agreement) of the ETA network suffered the most, with an estimated loss of $100 million. This was followed by the Berachain BEX agreement, which could result in losses of $12.86 million. In addition, seven-link agreements, such as Arbitrum, Base and Sonic, were affected by the attack。
the industry faces a dilemma in the face of this catastrophe: should it insist on & ldquo; the code ” decentrical fundamentalism; and watch the user funds stolen? or are there central interventions to protect users
Berachain, the worst affected, took the most radical and controversial decision: coordinating the validation nodes and suspending the entire network. By rolling back, Berachain saved more than $12 million of assets at risk on the BEX Exchange。
Of course, this has inevitably given rise to community controversy, with some questioning: &ldquao; will this not completely undermine you &lsquao; chain &rsquao; ultimateity and safety? Now it's more like a private chain than a public block chain? & rdquo; in response, Berachain's anonymous co-founder, Smokey the Bera, replied: “ I think your concern is reasonable, but I believe that very extreme circumstances require extraordinary means — & mdash; we have seen similar practices in the past in cases such as Sui and Hyperliquid. ”
most community members supported this decision, after all, the negative impact of the hard-earned pool could be much greater than what is called “ decentrization ” and faith。
The Sonic chain activates a “ the chain account freezing mechanism ” and, without stopping the network, locks down the attackers ' wallet and the $3.4 million in their funds. Polygon's certification node begins active “ reviews ” transactions from the attackers' address。
THERE HAVE BEEN A NUMBER OF LEAKS, AND TVL'S BACK HAS TRIGGERED A CRISIS OF TRUST
Balancer ' s history of development is also, in fact, one of constant competition with a complex logical loophole. Previously, Balancer had been subjected to hacker attacks on several occasions, with a cumulative number of at least five leaks between 2020 and 2025. These attacks range from the earliest lightning attacks to a more complex V2 to an enhanced hole in the pool。
In previous cases, however, the amount of damage had been in the range of approximately US$ hundreds of thousands to US$ 2 million. For Balancer, these past attacks are more of an opportunity to close the gap. This tragedy, which is estimated to have cost billions, has directly undermined the market's trust and confidence in Balancer。
According to Defillama, after the attack, Balancer ' s TVL fell directly from $776 million to $345 million, a reduction of more than half. In particular, Balancer V2 saw a direct reduction of $230 million in TVL, and Balancer V2 also withdrew from the pool, with Gaming DEX's TVL falling by 87 per cent in one day and Beets DEX's by 48 per cent。
Lido also stated that, although the Lido agreement had not been affected, due to careful considerations, it had withdrawn its unaffected Balancer position。
Indeed, forklift agreements such as Gaming DEX also after the incident indicated that they had not been actually affected, simply to withdraw most of the funds for security reasons。
For the DeFi agreement, trust is more important than gold, especially in the historical context of repeated attacks. As at 4 November, according to official disclosures, StarkWise DAO had recovered more than $20 million from hackers through multi-signatory contracts. This also reduced the amount damaged to $98 million. At the same time, the transfer of hacker assets is still ongoing and more than half has been replaced with ETH。
This $128 million attack became a costly mandatory course in DeFi's growth and raised three acute questions
1 when “ gold standard ” 11 audits were unable to detect a fatal loophole for two years, “ audit ” what does it mean
When “ coded infectious disease ” becomes normal, and the loophole of a basic agreement can destroy 27 derivative agreements instantaneously, is DeFi ' s combination of innovation or curse
3 when the emerging public chain is forced to “ decentralized ” and “ save the user ” choose between, “ code &rdquao; has the ideal given way to “ pragmatically centralized &rdquo
In the future, the security of DeFi may no longer depend solely on more audits, but rather on the design of agreements that are simpler, more robust and fundamentally less aggressive. For those users who lost their trust and capital in the event, the cost of this realization is enormous。