Overview
- Investigators report three attacker-linked wallets now hold roughly $117 million, with consolidation on-chain but no mixer or exchange cash-outs observed.
- Early analysis identifies an access-control flaw in Balancer V2’s manageUserBalance and validateUserBalanceOp that enabled unauthorized internal withdrawals.
- Forked projects were drawn into the fallout as Beets.fi/Beethoven X confirmed impact and Berachain paused liquidity mining due to shared code.
- The BAL token fell about 5% following disclosure, according to CoinGecko data.
- Balancer had not issued an official statement at press time as security teams monitored flows and evaluated exposure at V2-dependent services with over $60 million locked.