- The DeFi hack took place just a few days after the protocol publicly disclosed a vulnerability that compromised its fortified pools.
- The protocol’s team immediately addressed the situation by acknowledging the exploit related to the disclosed vulnerability.
Balancer, the Ethereum [ETH]based decentralized finance [DeFi] protocol, fell victim to an exploit that resulted in a loss of nearly $900,000. This incident took place just a few days after the protocol publicly disclosed a vulnerability affecting the fortified pools. The protocol itself confirmed the exploit and subsequent loss on social media platform X (formerly Twitter) on August 27.
Balancer is aware of an exploit related to the vulnerability below.
Mitigation procedures have drastically reduced the risks, but cannot interrupt the affected pools.
To prevent further exploits, users must withdraw from affected LPs.https://t.co/PDzX32gqeS https://t.co/b4CSqVFbDg
— Balancer (@Balancer) August 27, 2023
Blockchain security expert Meier Dolev identified an Ethereum address allegedly linked to the attacker. This address received two substantial transfers of Dai stablecoin, totaling $636,812 and $257,527, respectively, ultimately bringing more than $893,978 to the attacker.
The attacker continues its operation, impacting approximately $900,000 and moving more than $600,000 to this address
0xB23711b9D92C0f1c7b211c4E2DC69791c2df38c1 pic.twitter.com/inNqH4zel2— Meir Dolev (@Meir_Dv) August 27, 2023
Attack shortly after revealing the vulnerability in fortified pools
The protocol’s team immediately addressed the situation by acknowledging the exploit related to the disclosed vulnerability. While they had taken mitigation measures to significantly reduce the risks, they also made it clear that it was not possible to shut down the affected pools.
To prevent further breaches, the team advised users to withdraw from affected liquidity pools.
Balancer disclosed the affected critical vulnerability on August 22. This led to an urgent call for users to withdraw funds from liquidity providers, leading to the temporary suspension of pools.
The vulnerability posed a threat to assets deployed across platforms. These include Ethereum, Polygon [MATIC]arbitration [ARB)]Optimism [OP]Avalanche [AVAX]Gnosis [GNO]Phantom [FTM]and zkEVM.
Balancer has received a critical vulnerability report affecting a number of V2 pools.
Emergency mitigation procedures have been put in place to secure a majority of the TVL, but some funds remain at risk.
Users are advised to withdraw affected LPs immediately.https://t.co/PDzX32gqeS pic.twitter.com/F1f649Wz3L
— Balancer (@Balancer) August 22, 2023
When the vulnerability was discovered, the risk assessment initially showed that only 1.4% of total assets were exposed, totaling more than $5 million. However, as of August 24, the risk still remained significant, with at least $2.8 million remaining vulnerable, accounting for 0.42% of the total locked value.
Balancer has issued a warning to its users on X, advising them on the status of their funds in various pools. They underlined that funds within the moderate pools labeled as “mitigated” were categorized as safe.
Nevertheless, users were strongly advised to consider migrating to more secure pools or initiating withdrawals. Pools that remained susceptible were flagged as “at risk,” prompting LPs involved in those pools to leave immediately.
The protocol was closely intertwined with its implementation on the Optimism network in June of the previous year. This implementation was intended to improve user functionality while reducing transaction costs, making it more accessible and cost-effective for participants.