One of the decentralized finance (DeFi) sector’s longest established exchanges, Balancer, has suffered an ongoing smart contract hack, with losses totalling $129 million so far.

The exploit, which hit the exchange’s v2 liquidity pools on multiple blockchains, also reportedly affected projects which had “forked” Balancer’s code.

Just over two hours after the attack began, Balancer acknowledged the incident, stating it was “aware of a potential exploit impacting Balancer v2 pools.”

Update: @Balancer and its forks are under attack, with total losses across multiple chains reaching ~$128.64M so far. https://t.co/67XGX5RcRR pic.twitter.com/FIwx20ALSz — PeckShieldAlert (@PeckShieldAlert) November 3, 2025

First launched in the run-up to 2020’s DeFi summer, Balancer’s v2 later expanded on the existing “constant product” model of automated market makers (such as Uniswap and Bancor) by introducing multi-asset and weighted liquidity pools.

Other large DeFi projects such as Aave and Lido have reassured users their tokens’ pools aren’t affected.

Lido and Flashbots’ Hasu remarked that Balancer’s v2 “is one of the most looked at and forked smart contracts since. It’s very scary.”

According to a preliminary analysis from Blockchain security auditor Decurity, the “manageUserBalance” function contains a “faulty access check” which allows the hacker to withdraw funds.

It notes that, additionally, “the Vault’s internal balance (_internalTokenBalance) was manipulated before the withdrawal.”

1inch’s Anton Bukov suspects exploitation of a rounding error.

Balancer previously fell victim to a $2 million hack in August of 2023 due to a “rate manipulation” vulnerability in its Boosted Pools.

The following month, it warned users of a front-end compromise. In March of 2023, $11 million of Balancer pool funds were drained during the hack on lending protocol Euler.

Cross-chain catastrophe

The exploit affected Balancer pools on multiple blockchains, with losses reported on Ethereum, Berachain, Arbitrum, Base, Sonic, Optimism and Polygon.

Berachain announced that “validators have coordinated to purposefully halt the Berachain network as the core team performs an emergency hard fork.”

DeFi data dashboard DeFiLlama lists 27 projects as forks of Balancer’s v2 code, with a combined total value locked (TVL) of $78 million. Beets, a Balancer fork on Sonic, was reportedly hacked for $3.4 million.

As the losses mounted, a Polymarket bet on whether the crypto community would see another hack with over $100 million in losses before the end of the year jumped from approximately 25% likelihood to over 99%.

The incident is ongoing and this article will be updated to reflect any major developments.

1 day ago The sheer number of audits of Balancer’s v2 codebase shows that even the longest established DeFi projects may still contain vulnerabilities 🙁 I have nothing to say. pic.twitter.com/mVVajQwtLg — playboi.eth (@adeolRxxxx) November 3, 2025 1 day ago Wildcat’s Laurence Day extended sympathy to the Balancer team while reflecting of his use of Balancer pools for previous project Indexed Finance. Check out Protos’ review of the recent Code Is Law documentary which features some of DeFi’s best known hacks. Balancer exploit really sucks to see: huge fan of it as a protocol that got overlooked in terms of its importance to Ethereum by the high priests



Indexed was built as a fork of V2 – it’s a great piece of kit



My sympathies to the team/everyone affected – this bit is a nightmare — laurence (@functi0nZer0) November 3, 2025 1 day ago Approximately $600,000 has reportedly been saved by a whitehat bot operated by BitFinding. 1 day ago Blockchain auditors BlockSec posted a proposed root cause analysis of the hack, with a worked example based on attack transactions from Arbitrum. .@Balancer and several forked projects were attacked a few hours ago, resulting in losses exceeding $120M across multiple chains. This was a highly sophisticated exploit. Our initial analysis suggests the root cause was an invariant manipulation that distorted the BPT price… https://t.co/KaKA8D1A0i pic.twitter.com/zLfGW0mrmj — BlockSec Phalcon (@Phalcon_xyz) November 3, 2025 1 day ago Coinbase’s Conor Grogan pointed out the hacker’s impressive OpSec in funding the attack. He believes the attacker was well prepared in advance: “people don’t generally hold 100 ETH in tornado cash smart contracts for the fun of it.” Balancer was hacked for ~$100M. Hacker seems experienced:

1. Seeded account via 100 ETH and 0.1 Tornado Cash deposits. No opsec leaks

2. Since there were no recent 100 ETH Tornado deposits, likely that exploiter had funds there from previous exploits pic.twitter.com/OQOpfKwzxv — Conor (@jconorgrogan) November 3, 2025 1 day ago The hacker’s account on Sonic has reportedly been frozen via a new security mechanism introduced in response to the hack. 9 hours ago Today, around 7:48 AM UTC, an exploit affected Balancer V2 Composable Stable Pools.



Our team is working with leading security researchers to understand the issue and will share additional findings and a full post-mortem as soon as possible.



Because these pools have been live… pic.twitter.com/LRLNNXogt3 — Balancer (@Balancer) November 3, 2025

