The once-billion-dollar DeFi platform Balancer has fallen victim to a smart contract exploit. Attackers siphoned off approximately 128 million USD worth of assets across multiple blockchain networks.
The attack primarily targeted the protocol’s “V2 Composable Stable Pools.” The exploit spanned several networks - including Ethereum, Arbitrum, Base, Polygon, and Berachain. The fact that battle-tested protocols with multiple audits and once billions in assets can still conceal such severe vulnerabilities marks a serious setback for trust in the DeFi sector.
The best articles of the week, directly delivered into your mailbox.Subscribe to our newsletter
The technical process
The attackers exploited a vulnerability in the pools’ invariant mechanism: by executing multiple swaps within a single transaction, they artificially suppressed the internal value of the pool token (BPT). They then bought the undervalued pool tokens and quickly converted them into the underlying assets. Balancer confirmed that version V3 of the pools was not affected.
Estimates of the losses vary - security firms report around 128.6 million USD, with approximately 99.6 million USD stolen on Ethereum alone. Shortly after the exploit became public, the Total Value Locked (TVL) on Balancer dropped sharply from over 700 million USD to below 350 million USD.
Implications for DeFi
The attackers exploited a vulnerability in the re-entrancy mechanism of certain Balancer pools that had gone undetected despite multiple audits. This flaw enabled them to repeatedly drain liquidity from the affected smart contracts through complex transaction chains. Notably, Balancer had already experienced similar, though smaller, security issues in 2023 and 2024, reigniting the debate about the effectiveness of smart contract audits.
Even extensive audits offer no guarantee against exploits. Balancer had undergone several security reviews by reputable firms, yet this did not protect the protocol from a targeted attack exploiting a complex invariant vulnerability.
Following the incident, the Balancer team acted immediately, placing all affected smart contracts into “pause mode” to prevent further outflows. The community was simultaneously informed via an official security update, where developers confirmed that only pools from the V2 generation were impacted. Several leading blockchain security firms, including PeckShield and BlockSec, promptly began on-chain analyses of the attackers’ addresses.
