Balancer Vulnerability: $1M Loss Follows Warning Ignored

Balancer Vulnerability: $1M Loss Follows Warning Ignored

On the 22nd of August, Balancer Labs – a non-custodial portfolio manager, liquidity provider, and price sensor – received reports of a massive vulnerability affecting several of its lending pools. At the time, no attacks had been carried out – but that changed recently.

When the vulnerability was first discovered, Balancer developers promptly issued a warning to its users. They assured that certain pools had been marked as safe and promised a post-mortem analysis once a fix was ready. To help users ensure the safety of their funds, a portal was set up for them to verify the risk to their holdings. Despite this, the developers advised users to temporarily withdraw funds from all pools for added safety.

Balancing the scales between precaution and reality, Balancer confirmed an actual exploit had occurred, and again urged users to withdraw funds to prevent further attacks. The founder and CTO of Web3 security firm CyverAI, Meir Dolev, validated the attack.

The exploit unfolded across three DAI transactions, all traced back to the same wallet. The initial transaction loomed largest, exceeding $600k. Two subsequent smaller transactions dealt hits of over $250k and $85k to the lending pools, respectively. While not as catastrophic as earlier breaches this year, the hacker still managed a significant haul.

Balancer's community understandably reacted with disappointment, some even suggesting that the developers should seek a different industry to operate within. The vulnerable smart contract, left unpatched, ultimately cost Balancer more than $970k. The promised post-mortem report will now have to be reworked to account for this newly uncovered exploit, which was most likely triggered by the prior warning on Balancer's forum.

In the fast-paced world of decentralized finance, such incidents underscore the criticality of heeding developers' warnings and acting proactively to safeguard assets. As Balancer grapples with the aftermath of this breach, the broader DeFi community watches and learns, recognizing the ever-present need for robust security measures in the evolving landscape of blockchain technology.

Back to blog