Update Nov. 3, 10:42 am UTC: This article has been updated to include a section on Berachain’s emergency hard fork.
Update Nov. 3, 9:47 am UTC: This article has been updated to add the latest figures, Balancer’s white hat bounty offer and comments from Nicolai Sondergaard, research analyst at Nansen.
Update Nov. 3, 9:21 am UTC: This article has been updated to include a section on the Balancer flash loan attack from 2020.
The decentralized exchange (DEX) and automated market maker (AMM) Balancer has been exploited, with more than $116 million worth of digital assets transferred to a newly created wallet.
“We’re aware of a potential exploit impacting Balancer v2 pools. Our engineering and security teams are investigating with high priority,” the Balancer team said in a Monday X post, adding that it will share more updates as information becomes available.
Onchain data initially showed that the decentralized finance (DeFi) protocol was exploited for $70.9 million worth of liquid staked Ether (ETH) tokens transferred to a fresh wallet across three transactions, according to Etherscan logs.
The transfers included 6,850 StakeWise Staked ETH (OSETH), 6,590 Wrapped Ether (WETH) and 4,260 Lido wstETH (wSTETH), crypto intelligence platform Nansen said in a Monday X post.
By 8:52 am UTC on Monday, the ongoing exploit has swelled to over $116.6 million in stolen funds, according to blockchain data platform Lookonchain.
The Balancer exploit may stem from smart contract issues that had a “faulty access check allowing the attacker to send a command to withdraw funds,” Nicolai Sondergaard, research analyst at Nansen, told Cointelegraph, adding:
“From what I see, losses are now greater than $100 million and have affected Balancer v2 + various forks.”
Related: CZ sounds alarm as ‘SEAL’ team uncovers 60 fake IT workers linked to North Korea
Balancer offers a 20% white hat bounty for return of the funds
Aiming to recover the funds, the team behind Balancer offered a white hat bounty of up to 20% of the stolen funds if the full amount, minus the reward, is returned immediately.
If the funds are not returned within the next 48 hours, Balancer stated that it will continue to cooperate with blockchain forensics specialists and law enforcement agencies to identify the perpetrator.
“Our partners have a high degree of confidence you will be identified from access-log metadata collected by our infrastructure, indicating connections from a defined set of IP addresses/ASNs and associated ingress timestamps that correlate with the transaction activity on chain,” said Balancer in a blockchain transaction note on Monday.
Two years ago, Balancer suffered a domain name system (DNS) attack on its front end website, the protocol revealed at the time. Hackers redirected the website’s users to a phishing website associated with malicious smart contracts aiming to steal user funds.
About $238,000 worth of digital assets were stolen during the phishing attack, according to blockchain sleuth ZachXBT.
In August 2023, Balancer also suffered an almost $1 million stalecoin exploit, just a week after the protocol disclosed a “critical vulnerability” related to some of its liquidity pools.
In June 2020, Balancer was hacked for $500,000 worth of Ether and other tokens as part of a flash loan attack based on the Statera (STA) deflationary tokens, where 1% of every transaction is automatically burned.
Berachain orchestrates emergency network halt after Balancer exploit
Validators behind the Berachain blockchain have rushed to halt the network to perform an emergency update, or hard fork, following the Balancer exploit.
The emergency hard fork aims to address the Balancer exploit related to specific assets on Berachain’s native DEX, wrote the Berachain Foundation in a Monday X post, adding:
“This halt has been executed purposefully, and the network will be operational shortly upon recovering all affected funds.”
“Given that it affected non-native assets (not just BERA), the rollback/rollforward involves more than a simple hardfork, hence the halt as a full solution is finalized,” added the foundation.
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why