5 years, 6 incidents of losses exceeding 100 million, the history of hackers targeting the old-school DeFi protocol Balancer.

CN
深潮TechFlow
Follow
19 hours ago

For bystanders, DeFi is a novel social experiment; for participants, DeFi hacks are an expensive lesson.

Written by: David, Deep Tide TechFlow

When it rains, it pours; hackers specifically target downturns.

In the recent environment of a sluggish cryptocurrency market, established DeFi protocols have suffered another heavy blow.

On November 3, on-chain data indicated that the protocol Balancer was suspected to have been hacked. Approximately $70.9 million in assets were transferred to a new wallet, including 6,850 osETH, 6,590 WETH, and 4,260 wstETH.

Subsequently, according to Lookonchain monitoring related wallet addresses, the total loss amount from the attack on the protocol has risen to $116.6 million.

The Balancer team stated after the incident:

"We have identified a potential vulnerability affecting Balancer v2 pools, and our engineering and security teams are investigating this incident as a high priority. We will share verified updates and follow-up measures once we have more information."

Additionally, the official statement also expressed a willingness to pay 20% of the stolen assets as a white hat reward to recover the assets, valid within 48 hours.

The response was timely but also very official.

However, if you are a veteran DeFi player, you would not be surprised by the headline "Balancer Hacked," but rather have a strange sense of déjà vu.

As an established DeFi protocol founded in 2020, Balancer has experienced six security incidents over the past five years, averaging one hacker visit per year, and this time it just happens to be the largest amount stolen.

Looking back at history, when market conditions make trading extremely difficult, it is very likely that earning interest through DeFi arbitrage is not safe either.

June 2020: Deflationary Token Vulnerability, Loss of Approximately $520,000

In March 2020, Balancer entered the DeFi world with the innovative concept of "flexible automated market makers." However, just three months later, this ambitious protocol faced its first nightmare.

Attackers exploited a vulnerability in the protocol's handling of deflationary tokens, resulting in a loss of approximately $520,000.

The basic principle was that a token called STA automatically burned 1% as a transaction fee with each transfer.

The attacker borrowed 104,000 ETH from dYdX's flash loan and then repeatedly traded between STA and ETH 24 times. Because Balancer did not correctly calculate the actual balance after each transfer, the STA in the pool was eventually depleted to just 1 wei. The attacker then took advantage of the severe price imbalance to exchange a small amount of STA for a large amount of ETH, WBTC, LINK, and SNX.

March 2023: Euler Incident Affected, Loss of Approximately $11.9 Million

This time, Balancer was an indirect victim.

Euler Finance suffered a $197 million flash loan attack, and Balancer's bb-e-USD pool was implicated due to holding Euler's eToken.

When Euler was attacked, approximately $11.9 million was transferred from Balancer's bb-e-USD pool to Euler, accounting for 65% of that pool's TVL. Although Balancer urgently paused the related pools, the loss had already occurred and could not be recovered.

August 2023: Balancer V2 Pool Precision Vulnerability, Loss of Approximately $2.1 Million

This attack actually had precursors. On August 22 of that year, Balancer proactively disclosed the vulnerability and warned users to withdraw their funds, but the attack still occurred five days later.

The vulnerability involved a rounding error in the V2 Boosted Pool. The attacker manipulated the calculations so that the supply of BPT (Balancer Pool Token) was miscalculated, allowing them to extract assets from the pool at an improper exchange rate. The attack was completed through multiple flash loan transactions, with different security firms estimating the losses to range from $979,000 to $2.1 million.

September 2023: DNS Hijacking Attack, Loss of Approximately $240,000

This was a social engineering attack, targeting traditional internet infrastructure rather than smart contracts.

Hackers breached the domain registrar EuroDNS through social engineering, hijacking the balancer.fi domain. Users were redirected to a phishing site that used the Angel Drainer malicious contract to trick users into authorizing transfers.

The attackers then laundered the stolen funds through Tornado Cash.

Although this incident was not Balancer's fault, the high profile of the protocol made it vulnerable to phishing attacks, which is hard to guard against.

June 2024: Velocore Hacked, Loss of Approximately $6.8 Million

Although Velocore is an independent project, its hack was not originally related to Balancer. However, as a fork of Balancer, Velocore used the same CPMM (Constant Product Market Maker) pool design, making it somewhat of a lineage connection, akin to a theft occurring elsewhere but with mechanisms rooted in Balancer.

The sequence of events was that the attacker exploited an overflow vulnerability in Velocore's Balancer-style CPMM pool contract, manipulating the fee multiplier to exceed 100%, leading to calculation errors.

The attacker ultimately stole approximately $6.8 million through a flash loan combined with carefully constructed withdrawal operations.

November 2025: Latest Attack, Loss Exceeding $100 Million

The technical principles of this attack have been preliminarily clarified. According to security researchers, the vulnerability lies in the access control checks of the manageUserBalance function in the Balancer V2 protocol, which corresponds to user permission checks.

According to analyses from security monitoring agencies Defimon Alerts and Decurity, the system was supposed to verify whether the caller was the true owner of the account when validating withdrawal permissions for Balancer V2, but the code incorrectly checked whether msg.sender (the actual caller) was equal to the op.sender parameter provided by the user.

Since op.sender is a user-controllable input parameter, attackers could easily impersonate any identity, bypass permission verification, and execute the WITHDRAW_INTERNAL operation.

In simpler terms, this vulnerability allowed anyone to impersonate any account owner and directly withdraw internal balances. Such a fundamental access control error is more akin to a basic mistake, and its occurrence in a mature protocol running for five years is quite surprising.

Reflections on the History of Hacker Visits

What can we learn from this "history of hacker visits"?

My feeling is that DeFi protocols in the crypto world are more like "something to be admired from a distance but not to be trifled with." From afar, everything seems calm, but if you delve deeper, there are many technical debts outside the narrative that need to be repaid.

For instance, Balancer, as an established DeFi protocol, has one of its innovations being the ability to create mixed pools with customizable weights for up to eight tokens.

Compared to Uniswap's simple design, Balancer's complexity grows exponentially.

With each additional token, the state space of the pool expands dramatically. When you try to balance the prices, weights, and liquidity of eight different tokens in a pool, the attack surface also expands. The deflationary token attack in 2020 and the rounding error vulnerability in 2023 are essentially both due to improper handling of boundary conditions brought about by complexity.

What’s more concerning is that Balancer has chosen a path of rapid iteration for development. From V1 to V2, and then to various Boosted Pools, each upgrade adds new features on top of old code. This accumulation of "technical debt" has turned the codebase into a fragile tower of blocks.

For example, the recent attack due to permission issues, such a basic design error should not be a problem for a protocol that has been running for five years, which perhaps indicates that the project's code maintenance has gone out of control.

Or perhaps, in a time when narrative, profit, and emotion outweigh technology, whether the underlying code has vulnerabilities has become less important.

Balancer certainly will not be the last; you never know when the next black swan, stacked by the various composability of DeFi, will arrive. The complex network of dependencies in the DeFi world makes risk assessment nearly impossible.

Even if you trust Balancer's code, can you trust all its integrations and partners?

For bystanders, DeFi is a novel social experiment; for participants, DeFi hacks are an expensive lesson; for the entire industry, the soundness of DeFi is the tuition that must be paid for maturity.

Let’s just hope this tuition isn’t too expensive.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarOdaily星球日报
6 minutes ago
XT.com and Dash Discuss: Instant Settlement, Chain Lock Mechanism, and Innovations in Privacy
avatar
avatar律动BlockBeats
24 minutes ago
Is Bitcoin really going to 90,000? Why is it still falling?
avatar
avatarOdaily星球日报
35 minutes ago
Coin Stock Weekly Report | Bitmine increased its holdings by over 112,000 ETH last week, with an average price of about $3,923; crypto mining company IREN signed a $9.7 billion agreement with Microsoft to provide cloud computing services in Texas (November 4).
avatar
avatar深潮TechFlow
52 minutes ago
Analyzing the underlying logic of "gold surge"
avatar
avatar链捕手
53 minutes ago
Pantera Detailed Explanation CaaS: SaaS + Blockchain, Making Cryptocurrency Invisible to End Users
APP

X

Telegram

Facebook

Reddit

CopyLink