Balancer Suffers Nearly $1M Exploit as Team Urges Users to Withdraw Funds

Popular decentralized exchange Balancer suffered a hack on August 27, losing close to $1 million.

The exploit came less than a week after the team disclosed a “critical vulnerability.” On August 22, the Balancer team asked the liquidity providers (LPs) on the exchange to withdraw funds from certain pools that were exposed to the vulnerability.

The Balancer team acknowledged the hack this morning, saying they are “aware of an exploit related to the vulnerability.”

Meir Dolev, founder and CTO of crypto security firm Cyvers, identified the hacker's Ethereum address, which received three transfers of DAI stablecoin totaling approximately $979,420 since Sunday.

The last transfer was made at around 6:30 pm Sunday ET, a few hours after Balancer’s tweet about the exploit went out. Dolev added that the “attacker continues with his operation.”

Blockchain security firm Beosin tweeted that the exploit was carried out through “multiple flash loan attacks.”

In a flash loan attack, an attacker borrows a large amount of cryptocurrency from a DeFi platform, uses those funds to manipulate affected pools and siphon funds from them, and then repays the loan in the same transaction.

The Balancer team did not immediately respond to Decrypt’s request for comment.

Balancer risks abound

On August 25, the Balancer team stated that only “0.08% of total TVL ($565,199)” was still at risk as most LPs had withdrawn from the affected pools.

The hackers have, however, stolen over $900,000, an amount higher than the one mentioned by the team.

Analysts at blockchain security firm BlockSec told Decrypt that “we checked the attacked pools and found that these are in the list” mentioned by the Balancer team last week.

Balancer had mentioned that only boosted pools across eight blockchains were affected by the vulnerability. Boosted pools are a type of liquidity pools that amplify the yields for liquidity providers by lending a portion of the liquidity in other apps such as Aave.

BlockSec sleuths added that differences in token valuations may arise from “the differences between the calculation of token value—especially with the tokens with little liquidity.”

Beosin analysts also told Decrypt that while the hacked amount exceeded the amount mentioned by the team, the exploit happened in boosted pools mentioned by the team.

The Balancer team has repeatedly mentioned that withdrawal is the only way to protect the funds. Moreover, they also locked access to the pools enabling withdrawals through a dedicated user interface.

However, the attackers are relentless in their efforts to steal funds while the liquidity providers delay in withdrawing funds.