Halloween’s scare came late for the crypto industry.
Decentralized finance (DeFi) protocol Balancer (BAL) has been hit by one of the biggest crypto hacks of 2025, with more than $116 million stolen from its trading pools, according to data from blockchain analysts including Lookonchain.
Balancer confirmed awareness of “a potential exploit impacting Balancer v2 pools” at 3:20 p.m. UTC on Nov. 3, writing on X (formerly Twitter):
“We’re aware of a potential exploit impacting Balancer v2 pools. Our engineering and security teams are investigating with high priority. We’ll share verified updates and next steps as soon as we have more information.”
Within hours, blockchain analytics firm Lookonchain said losses had ballooned:
“Absolutely insane — the total stolen funds from the Balancer exploit have now surged to $116.6 M. ”
How the exploit unfolded
Preliminary forensic analysis shared by DeFi researcher Adi (@AdiFlips on X) outlined a sophisticated sequence of smart-contract manipulations:
“The attack targeted Balancer’s V2 vaults and liquidity pools, exploiting a vulnerability in smart contract interactions. … Improper authorization and callback handling allowed the attacker to bypass safeguards. This enabled unauthorized swaps or balance manipulations across interconnected pools, draining assets in rapid succession (within minutes).”
According to Adi, the attacker deployed a malicious contract that manipulated vault calls during pool initialization, funneling stolen funds through Ethereum transaction. Assets were then consolidated into a fresh wallet, likely to be laundered via mixers or bridges.
Investigators say the composable design of Balancer, where pools interact deeply for cross-asset liquidity, amplified the flaw. No evidence suggests a private-key compromise; the breach was a pure smart-contract exploit.
PeckShield, Nansen, and other blockchain-security teams are assisting Balancer’s internal engineers in tracing funds.
EXPLAINED: In simple terms, the hacker found a coding flaw that let them trick Balancer’s system into performing unauthorized transactions. This let them move funds between trading pools and drain tokens within minutes.
The attacker then transferred the stolen funds to new crypto wallets, the digital equivalent of creating new bank accounts, to make tracking harder.
What was stolen
Rough estimates show:
* Ethereum mainnet: $70 million
* Base & Sonic: $7 million combined
* Other chains: $2 million +
* Main assets: WETH, wstETH, osETH, frxETH, rsETH, rETH
* Total: $110 – $116 million
Community response
Ledger CTO Charles Guillemet urged immediate action:
“It seems that Balancer v2 pools were exploited. More than $100 M stolen. If you have funds on these pools, you might want to withdraw them. It’s also a good idea to review your approval and revoke the ones that are unnecessary. Stay safe.”
Adi echoed the same caution, advising users to withdraw from Balancer V2 pools, revoke token approvals through Revoke or DeBank, and monitor wallets for suspicious transactions.
What Balancer is
Launched in March 2020, Balancer is an automated market maker (AMM) and liquidity protocol built on Ethereum. It allows users to create customizable index-style liquidity pools that automatically rebalance token weights. Its V2 architecture, released in May 2021, introduced a unified “Vault” system for gas efficiency and composability — the very feature that attackers exploited.
The protocol currently secures more than $451 million in total value locked (TVL), according to DefiLlama.
Balancer has faced smaller exploits in the past — including a $900,000 flash-loan attack in 2020 and a $2 million vulnerability disclosure in 2023 — but none on this scale.
Notably, crypto crime is breaking records in 2025, with $2.17 billion stolen in the first half of the year — a surge Chainalysis calls “the most devastating yet.” The $1.5 billion Bybit hack by North Korea accounts for the bulk of losses, but attacks on personal wallets now make up nearly a quarter of all thefts, reflecting a dangerous new shift. If the trend continues, stolen crypto from services alone could exceed $4.3 billion by year’s end.
