Overview
- On Nov. 3, attackers siphoned roughly $116–129 million from Balancer V2 Composable Stable Pools, with losses spreading across Ethereum, Arbitrum, Base, Sonic, Optimism, and Polygon.
- Balancer confirmed the breach affected only V2 Composable Stable Pools, said some legacy pools were outside the pause window, and placed pausable pools into recovery mode; Balancer V3 remains unaffected.
- Investigators cite an access‑control flaw tied to functions handling vault calls, with on‑chain forensics pointing to a malicious contract manipulating authorization and callbacks during pool operations.
- Berachain halted its network and executed an emergency hard fork to protect funds, while integrators and forks such as Beefy and Beets.fi paused products linked to Balancer V2.
- On‑chain trackers report the exploiter consolidating and swapping stolen liquid‑staking and wrapped tokens into ETH, as Balancer’s TVL fell sharply and BAL slid double digits despite the protocol’s 11+ prior audits.