$116M funds stolen from Balancer
DeFi protocol Balancer has been exploited for a total $116.6M and the amount is surging quickly. Stay safe and secure your funds.
The attacker whitelisted his own exploit by calling a protected function called WITHDRAW_INTERNAL and the code that was supposed to stop them was basically checking the attacker’s ID against a value they could set themselves.
So who are the ones that got affected? Anyone who was providing liquidity in their v2 pools. Those providing liquidity to V3 pools are safe. Keep in mind, any app or website that was using Balancer’s contracts has also been affected.
This is also bad news for Aave as most of their liquidity sits inside Balancer’s pools. However, Aave’s founder says they are safe.
Received bunch of DMs
To the best of our current knowledge, zero exposure or issue on StkBPT (Aave/stETH liquidity)
Aave users are safu, there’s nothing to do.
Stay safe out there friends.
All my support to balancer team.
— Marc ”七十 Billy” Zeller 👻 🦇🔊 (@lemiscate) November 3, 2025
Again, the root cause was a faulty access check in the manageUserBalance function, which let the attacker bypass security by validating against their own supplied sender.
This is a brutal reminder that even top-tier protocols can bleed overnight. $116M gone in a blink and users left holding the bag again. DeFi’s transparency cuts both ways – we see everything, but can’t stop it.
Audits are good, active defense is better.Trust isn’t code-deep, it’s battle-tested through chaos like this.