Hacker steals over $120 million from Balancer DeFi crypto protocol

The Balancer Protocol announced that hackers had targeted its v2 pools, with losses reportedly estimated to be more than $128 million.

Balancer is a decentralized finance (DeFi) protocol built on the Ethereum blockchain as an automated market maker and liquidity infrastructure layer.

It provides flexible pools with custom token mixes, allowing users to deposit assets, earn fees, and let traders swap assets, and it is governed by the BAL token, which had a market cap of $65 million right before the incident.

Balancer has not shared many details about the incident but warned users to be cautious against potential scams or phishing attempts.

Balancer confirmed today that an exploit affected its V2 Compostable Stable Pools at 7:48 AM UTC and that the issue does not impact any other Balancer pools, including V3.

"Our team is working with leading security researchers to understand the issue," the company said in an update a few hours ago.

According to GoPlus Security, the Balancer V2 exploit stemmed from a precision rounding error in the Vault’s swap calculations.

Each swap operation rounded down token amounts, creating tiny discrepancies that the attacker could repeatedly exploit. By chaining multiple swaps through the batchSwap function, those rounding losses compounded into a large price distortion.

Normalizing token amounts using scaling factors
Source: GoPlus Security

However, other users claiming to know what happened attribute the hack to improper authorization and callback handling inside Balancer’s V2 vaults.

According to Aditya Bajaj, a maliciously deployed contract manipulated vault calls during pool initialization, effectively bypassing safeguards and enabling unauthorized swaps and balance manipulations across interconnected pools.

While there is no agreement on the attack method yet, Balancer promised to share more details about the hack "and a full post-mortem as soon as possible."

It is worth noting that Balancer V2 has been audited 11 times since 2021, with varying examination scopes.

Attempt to trick the hacker

Meanwhile, it appears that someone tried to take advantage of the situation by impersonating Balancer and offering the hacker a "white-hat bounty" of 20% of the stolen amount if they agreed to return the rest of the funds to a specific address.

The phishing message is well-written and checks the tricks to appear credible, including the reward, a deadline, and a threat, all part of a negotiation pressing for immediate cooperation.

If the hacker refuses the deal, the fraudster impersonating Balancer threatens to use all information they have from blockchain forensics experts, law enforcement agencies, and regulatory partners to identify and prosecute the attacker.

“Our partners have a high degree of confidence you will be identified from access-log metadata collected by our infrastructure, indicating connections from a defined set of IP addresses/ASNs and associated ingress timestamps that correlate with the transaction activity on chain,” concludes the fraudulent message.

The Balancer hack is one of the largest cryptocurrency heists in 2025. Although there is no attribution, the greatest threat to DeFi entities is North Korean hackers.

As of October 3, the amount of cryptocurrency linked to North Korean thefts this year had exceeded $2 billion, with the largest by far being the Bybit attack in February, when they stole $1.5 billion in cryptocurrency.