Balancer Exploited for $128 Million Across Ethereum Chains as Berachain Halts Network

Crypto automated market maker Balancer suffered a major exploit early Monday that resulted in an estimated $128 million worth of digital assets being stolen across multiple blockchains. As a result, emerging network Berachain has forcefully halted its blockchain and is attempting a hard fork to resolve the issue.

Balancer was offering its services across multiple chains—including Ethereum, Arbitrum, and Base—and all of those that used Balancer V2 were vulnerable to the attack. On top of this, many protocols have used its codebase to build their own products, which also suffer from the same vulnerability.

The exploit likely came as the result of a “tiny precision/rounding error” found in Balancer V2 liquidity pools, on-chain analytics firm Nansen told Decrypt. The attacker pushed the pools towards that rounding error via multiple swaps within a single transaction. That led to the Balancer Pool Token, which represents ownership in Balancer liquidity pools, being undervalued by the liquidity pool.

“With the BPT price depressed, the attacker swapped into or minted BPT at that deflated value. They immediately converted those (underpriced) BPT back into underlying assets and then into ETH, pocketing the difference,” Nansen Research Analyst Nicolai Sondergaard told Decrypt. 

Security experts Cyvers and PeckShield both estimate the total losses to be worth approximately $128 million. Nansen estimated the figure to be closer to $100 million, a figure that is dropping as token prices decline amid a broader market plunge. The stolen funds were then sent through several different addresses and swapped on decentralized exchanges.

Balancer has acknowledged the exploit and confirmed that the issue is isolated to Balancer V2 Composable Stable Pools specifically—meaning V3 pools remain unaffected. The project is now working with “leading security researchers” to create a full postmortem on the incident. Balancer’s BAL token has dropped more than 11% on the day to a $56 million market capitalization, according to CoinGecko.

“[It’s] likely the worst is behind at this point, as it does not seem like the exploiter is withdrawing any more funds,” Sondergaard said.

As a result of the attack, Berachain validators coordinated to halt the blockchain, with plans to perform an emergency hard fork to roll back the chain to its state before the exploit.

This is because Berachain’s native decentralized exchange is built upon the same vulnerable codebase as Balancer V2, Cyvers told Decrypt. That explains why Berachain was hit so hard, with an estimated $12.86 million in losses.

“Given that it affected non-native assets (not just BERA), the rollback/rollforward involves more than a simple hard fork,” the Berachain Foundation announcement said, explaining why the blockchain was halted in the meantime.

This move is highly contentious among crypto-natives who believe in the immutability of blockchains. For many die-hard crypto believers, forking a chain and undoing transactions goes against everything that crypto stands for. 

Ethereum famously rolled back its blockchain via a hard fork after the famous 2016 hack of The DAO, which led to $50 million in ETH being stolen—an amount that represented a significant amount of the total supply at the time. The controversial hard fork divided the community, with those against the split staying with the original chain in what is now called Ethereum Classic.

Trump Downplays Knowledge of Binance Chief After Pardon Linked to Family’s Crypto Dealings

“I’m sure that some won’t be happy about this, and we recognize that this could be seen as a contentious decision,” pseudonymous Berachain founder and CSO Smokey the Bera, wrote on X. “Users and LPs on the network are always our priority and when approximately $12 million of user funds are at risk from a malicious attacker, we attempted to coordinate the validator set to protect those users.” 

“The goal is to recover funds ASAP and ensure that all LPs are safe,” Smokey added.

Berachain’s token has similarly dropped almost 10% on the day to a $211 million market cap, according to CoinGecko.