Massive Exploit of Balancer DeFi Protocol via V2 Pool Vulnerability
Hackers exploited a vulnerability in the Balancer DeFi protocol's V2 pools, resulting in the theft of over $120 million in cryptocurrency, with at least $99 million stolen in ETH. The attack targeted Balancer's Compostable Stable Pools and was traced to either a precision rounding error in the Vault’s swap calculations or faulty access control mechanisms, allowing the attacker to manipulate token swaps and balances. Balancer confirmed that the exploit did not impact its V3 pools and has paused affected pools while working with security researchers to investigate the incident.
The company has warned users to be vigilant against phishing attempts and fraudulent messages purporting to be from its security team. Several other blockchain organizations connected to Balancer, such as the Berachain Foundation, Gnosis, Sonic, and Beefy, took emergency measures to protect user assets, including halting networks and freezing stolen funds where possible. Despite Balancer's history of multiple security audits and bug bounty programs, this incident highlights ongoing risks in DeFi protocols. A full post-mortem is expected once the investigation concludes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Trail of Bits publishes root-cause analysis and mitigation guidance
On 2025-11-07, Trail of Bits published an analysis attributing the hack to a long-standing arithmetic edge case in Balancer v2, confirmed Balancer v3 was not affected, and issued broader defensive guidance for the DeFi ecosystem.
Public reporting discloses Balancer theft exceeding $100 million
News outlets reported on 2025-11-03 that Balancer had suffered a major DeFi exploit, with estimated losses ranging from roughly $116 million to more than $120 million.
Attackers exploit Balancer v2 rounding flaw across nine blockchains
On 2025-11-03, attackers exploited a rounding-direction vulnerability in Balancer v2’s Stable Math logic, draining more than $100 million from vulnerable Composable Stable Pools across nine blockchain networks.
Trail of Bits identifies related math issue during 2021 Balancer review
During a 2021 review of Balancer’s Linear Pools, Trail of Bits reported the same underlying arithmetic edge case later tied to the 2025 exploit, although its full exploitability was not understood at the time.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Balancer hack analysis and guidance for the DeFi ecosystem
blog.trailofbits.com
Open sourceBalancer hack analysis and guidance for the DeFi ecosystem
securityboulevard.com
Open sourceBalancer Hack Exposes $116 Million Smart Contract Vulnerability
thecyberexpress.com
Open sourceHacker steals over $120 million from Balancer DeFi crypto protocol
bleepingcomputer.com
Open sourceMore than $100 million stolen in exploit of Balancer DeFi protocol
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Balancer Lost $128M in Rounding Error Exploit
Check Point Research reported that an attacker drained **$128 million** from the Balancer decentralized finance platform by exploiting a **rounding error** in the protocol’s calculations. The incident shows how small arithmetic flaws in smart-contract logic can be weaponized to manipulate pool balances and extract large amounts of value from DeFi systems. The reported attack focused on a weakness in how Balancer handled numerical precision, allowing the attacker to repeatedly benefit from favorable rounding behavior until funds were siphoned from the platform. The case highlights the security impact of precision and accounting bugs in blockchain applications, where seemingly minor implementation errors can escalate into major financial losses.
May 25, 2026
THORChain exploit and Alephium bridge hack expose forged cross-chain message flaws
THORChain was exploited across Bitcoin, Ethereum, BNB Chain, and Base, with losses rising from an initial estimate of **$7.4 million** to more than **$10.7 million** after an Asgard vault was drained. The protocol paused trading after the attack, and community investigators published suspected theft addresses on Bitcoin and EVM-compatible networks. Separately, Alephium disclosed that its private Wormhole-fork TokenBridge was exploited on Ethereum and BNB Chain for about **$815,000** after an off-chain backend flaw let forged guardian messages pass through its four-guardian system, enabling the minting of **13.76 million** unbacked wrapped `ALPH` on Ethereum. New reporting tied the THORChain incident to a privately disclosed but allegedly unremediated proposer-forgery flaw in the Bifrost attestation system. Security firm **V12** said it warned THORChain about a critical fund-draining bug, but the protocol silently patched code, did not pay a bounty, and retired its bug bounty program; researchers said a May 6 fix intended to block proposer forgery failed automated testing and was never deployed before the exploit. In Alephium’s case, the project and Blockaid revised earlier claims of guardian key theft and said the root cause was forged malicious events or messages observed and signed because of a backend vulnerability; Alephium shut down the bridge, halted new transactions, and urged holders to pull liquidity from Uniswap and PancakeSwap while the attacker still controls the unbacked tokens.
Jun 1, 2026
Drift Protocol exploit drained $280M after months-long social engineering campaign
Drift Protocol, a Solana-based decentralized trading platform, said attackers stole about **$280 million to $285 million** after a months-long intrusion culminated in the takeover of administrative control and the draining of protocol vaults in roughly 12 minutes. Drift’s preliminary findings said the operation abused Solana’s **durable nonce** feature and pre-signed transactions rather than a simple smart contract flaw, while investigators reported that the attackers staged activity weeks in advance, created a fake asset called **CarbonVote Token (`CVT`)**, and manipulated its trading history so protocol oracles would accept it as collateral. The stolen assets were then swapped largely into **USDC** and **SOL**, bridged to Ethereum through Circle’s Cross-Chain Transfer Protocol, and moved onward through additional services and exchanges.
May 25, 2026