Balancer Hack 2025: $128M Exploit and DeFi's Systemic Risks Exposed

The Balancer hack 2025 has sent shockwaves through the DeFi ecosystem, with a $128 million exploit targeting its V2 composable stable pools, highlighting vulnerabilities in liquidity management and raising urgent questions about audit limitations and protocol interoperability.

The Balancer Hack: $128 Million Drained from V2 Pools

On November 3, 2025, Balancer V2 suffered a devastating breach, losing $128 million across seven chains, including Ethereum ($100 million), Arbitrum ($8 million), Base ($3.95 million), Sonic ($3.4 million), Optimism ($1.57 million), Polygon ($230,000), and others. The attack exploited a flawed access control check in the manageUserBalance function, letting hackers impersonate fee owners to siphon assets like WETH, wstETH, and osETH. This isn’t Balancer’s first incident—previous exploits underscore the risks of long-lived contracts, with TVL now halved to $1.2 billion and forked protocols facing massive outflows.

• Loss Breakdown: $128M total; 90% from composable stable pools.
• Affected Assets: WETH, wstETH, osETH, frxETH, rsETH, rETH.
• Chain Impact: 7 networks; 27 forks at risk.

Attack Mechanics: Flawed Access Control and Impersonation

The exploit hinged on a defective validation in Balancer’s Vault contract, where attackers crafted malicious instructions to bypass ownership checks. Using UserBalanceOpKind.WITHDRAW_INTERNAL, they deceived the system into unauthorized withdrawals, manipulating callbacks to execute swaps without permissions. Security firms like PeckShield confirmed no private key leaks—it was a pure smart contract flaw, exploiting interconnected pools for rapid drainage. This “butterfly effect” cascaded to forked protocols, amplifying systemic risks in DeFi’s composability model.

Systemic Risks: 27 Forks and Multi-Chain Fallout

Balancer V2’s vulnerability rippled to 27 forked protocols, impacting Ethereum, Berachain, and others, prompting emergency responses like chain halts and position withdrawals. Berachain paused its network for a hard fork, disabling bridges and halting USDe deposits, while Sonic froze hacker wallets. The incident exposed audit gaps—despite reviews by Certora and OpenZeppelin—blending privacy with scalability, and fueling debates on decentralization vs. user protection. With $150 billion+ TVL, such exploits could trigger $1B+ in collateral calls, underscoring DeFi’s fragility.

Industry Response: Halts, Audits, and Controversies

The breach sparked immediate action:

• Chain Halts: Berachain’s emergency fork and Sonic’s wallet freezes.
• Position Withdrawals: Lido pulled unaffected holdings.
• Investigations: PeckShield and Decurity probe the flaw.

Debates rage on “decentralization’s cost,” with Hal Finney’s heirs and analysts arguing halts undermine trust, while others praise user safety. The hacker’s address, linked to $128M, continues laundering via Mixero, with $17M swapped to ETH/USDC.

Historical Context: Balancer’s Vulnerability Legacy

Balancer, a 2017 AMM pioneer, has faced multiple exploits, including 2022’s $600K drain and 2021’s $5M loss, despite audits. The V2 flaw, in a 2021 contract, exposes long-lived code’s risks, setting DeFi back 6-12 months per experts. Forked protocols like Velodrome and Solidly face similar threats, underscoring composability’s double-edged sword.

Deeper Reflections: Auditing Limits and DeFi’s Dilemma

The hack exposes:

• Audit Shortcomings: Even multi-firm reviews miss edge cases.
• Composability Risks: Interconnected pools amplify single flaws.
• Decentralization vs. Safety: Halts save funds but challenge ideals.

It calls for modular designs, real-time monitoring, and ZK proofs for verifiable access.