Balancer, the Ethereum [ETH]-based decentralized finance [DeFi] protocol, fell victim to an exploit resulting in losses of nearly $900,000. This incident occurred only a few days after the protocol had publicly disclosed a vulnerability affecting its boosted pools. The protocol itself confirmed the exploit and subsequent loss on social media platform X (formerly Twitter) on 27 August.
Balancer is aware of an exploit related to the vulnerability below.
Mitigation procedures have drastically reduced risks, but are unable to pause affected pools.
To prevent further exploits, users must withdraw from affected LPs.https://t.co/PDzX32gqeS https://t.co/b4CSqVFbDg
— Balancer (@Balancer) August 27, 2023
Blockchain security expert Meier Dolev identified an Ethereum address allegedly linked to the attacker. This address received two substantial transfers of Dai stablecoin, totaling $636,812 and $257,527 respectively, ultimately amassing over $893,978 in the attacker’s possession.
The attacker continues with his operation, approx $900K affected, more than $600K moved to this address
0xB23711b9D92C0f1c7b211c4E2DC69791c2df38c1 pic.twitter.com/inNqH4zel2— Meir Dolev (@Meir_Dv) August 27, 2023
Attack shortly after disclosing vulnerability in boosted pools
The protocol’s team promptly addressed the situation by acknowledging the exploit related to the disclosed vulnerability. While they had taken mitigation measures to significantly reduce risks, they also clarified that it was not possible to stop the affected pools.
To avert further breaches, the team recommended that users withdraw from the impacted liquidity pools.
Balancer disclosed the critical vulnerability in question on 22 August. This prompted an urgent call for users to withdraw funds from liquidity providers and leading to the temporary suspension of pools.
The vulnerability posed a threat to assets deployed on various platforms. These include Ethereum, Polygon [MATIC], Arbitrum [ARB)], Optimism [OP], Avalanche [AVAX], Gnosis [GNO], Fantom [FTM], and zkEVM.
Balancer has received a critical vulnerability report affecting a number of V2 Pools.
Emergency mitigation procedures have been executed to secure a majority of TVL, but some funds remain at risk.
Users are advised to withdraw affected LPs immediately.https://t.co/PDzX32gqeS pic.twitter.com/F1f649Wz3L
— Balancer (@Balancer) August 22, 2023
Initially, upon detecting the vulnerability, the risk assessment identified that only 1.4% of the total assets faced exposure, totaling over $5 million. However, as of 24 August, a significant level of risk persisted, with at least $2.8 million remaining vulnerable, accounting for 0.42% of the total locked value.
Balancer issued a warning to its users on X, advising them about the status of their funds across various pools. They underscored that funds within the mitigated pools labeled as ‘mitigated’ were categorized as safe.
Nevertheless, users were strongly recommended to contemplate migrating to more secure pools or initiating fund withdrawals. Pools that remained susceptible were designated as ‘at risk,’ prompting LPs engaged in those pools to promptly exit.
The protocol closely intertwined its journey with its deployment on the Optimism network in June of the previous year. This deployment aimed to enhance user functionality while reducing transaction fees, making it more accessible and cost-effective for participants.