The hacking history of the veteran DeFi protocol Balancer: 6 security incidents in 5 years, with total losses exceeding 100 million dollars.

The veteran DeFi protocol Balancer has suffered 6 major security incidents in the past 5 years, and the latest attack has lost more than $100 million, revealing the technical risks behind the complexity of DeFi. (Synopsis: Balancer hacked $116 million" official response has been investigated, Lido consultant: will lead to DeFi adoption set back 1 year) (Background added: The old DeFi protocol Balancer has been hacked!) The damage has exceeded $116 million, but the attack continues) For onlookers, DeFi is a novel social experiment; For participants, DeFi theft is an expensive lesson. The house leak coincided with the overnight rain, and the hacker specifically picked the fall. In the recent downturn in the entire crypto market, the old DeFi protocol has been hit hard. On November 3, on-chain data showed that the protocol Balancer was suspected of being hacked. Approximately $70.9 million of assets were transferred to the new wallet, including 6,850 osETH, 6,590 WETH and 4,260 wstETH. Subsequently, according to Lookonchain monitoring of the wallet addresses in question, the total amount of damage to the attack on the protocol has risen to $116.6 million. The Balancer team said after the incident: “A vulnerability attack has been identified that could affect the Balancer v2 pool, and its engineering and security teams are investigating this incident with high priority and will share verified updates and next steps as more information is available.” In addition, officials have also publicly expressed their willingness to pay 20% of stolen assets as a white hat reward to recover assets, which is valid for 48 hours. The response was prompt but also official. However, if you are a DeFi veteran, you will not be surprised by the title “Balancer hacked”, but there is a strange sense of déjà vu. As a veteran DeFi protocol founded in 2020, Balancer has even had 6 security incidents in the past 5 years, with an average of one reserved show patronized by hackers every year, and this time is only the largest amount of money stolen. Looking back at history, when the market situation makes trading difficult to become hellish, it is very likely that there is interest arbitrage in DeFi and it is not safe. June 2020: Deflationary token vulnerability, loss of approximately $520,000 In March 2020, Balancer entered the DeFi world with the innovative idea of a “flexible automated market maker.” Just three months later, however, the ambitious deal had its first nightmare. The attackers exploited the protocol's mishandling of deflationary tokens, causing losses of about $520,000. The general principle is that at that time, a token called STA automatically burned 1% as a fee for each transfer. The attackers lent 104,000 ETH from a dYdX flash loan and then traded back and forth between STA and ETH 24 times. Since Balancer did not correctly calculate the actual balance after each transfer, the STA in the pool was eventually depleted to only 1 wei. The attackers then exploited the severe price imbalance and exchanged a large amount of ETH, WBTC, LINK, and SNX with trace amounts of STA. March 2023: Euler incident lying gun, loss of approximately $11.9 million This time Balancer was an indirect victim. Euler Finance suffered a $197 million flash loan attack, and Balancer's bb-e-USD pool was implicated for holding Euler's eToken. When Euler was attacked, about $11.9 million was transferred from Balancer's bb-e-USD pool to Euler, or 65% of the pool's TVL. Although Balancer urgently suspended the pool in question, the damage has been irreparably done. August 2023: Balancer V2 Pool Precision Vulnerability, Approximately $2.1 Million in Losses This attack was actually foreshadowed. On August 22 of that year, Balancer voluntarily disclosed the vulnerability and warned users to divest, but the attack still occurred 5 days later. The vulnerability involves a rounding error in the V2 Boosted Pool. Through precise manipulation, the attacker biases the supply calculation of BPT (Balancer Pool Token), so as to withdraw the assets in the pool at an improper exchange rate. The attack was completed through multiple flash loan transactions, with estimates of losses ranging from $979,000 to $2.1 million by different security firms. September 2023: DNS hijacking attack with approximately $240,000 in damage This is a social engineering attack that targets not smart contracts but traditional network infrastructure. Hackers used social engineering to breach domain registrar EuroDNS and hijack balancer.fi domain names. Users are redirected to a phishing website that uses an Angel Drainer malicious contract to trick users into authorizing transfers. The attackers then laundered the stolen money through Tornado Cash. Although this matter itself is not Balancer's pot, it is also difficult to prevent people from using the brand of the protocol to fish. June 2024: Velocore hacked, losing about $6.8 million Although Velocore is an independent project, its theft has nothing to do with Balancer. But as a fork of Balancer, Velocore uses the same CPMM (Constant Product Market Maker) pool design, which is somewhat in the same vein, more like stealing elsewhere, but the mechanism is in Balancer. This time, presumably, the attacker exploited an overflow vulnerability in Velocore's Balancer-style CPMM pool contract to manipulate the fee multiplier (feeMultiplier) to exceed 100%, resulting in calculation errors. The attackers eventually stole about $6.8 million through flash loans combined with elaborate withdrawals. November 2025: Latest attack, more than 100 million losses The technical principle of this attack has been preliminarily clarified. According to the analysis of security researchers, the vulnerability is located in the access control check of the manageUserBalance function in the Balancer V2 protocol, which also corresponds to the check of user permissions. According to analysis by security watchdogs Defimon Alerts and Decurity, the system was supposed to check whether the caller was the real owner of the account when verifying Balancer V2's withdrawal permissions, but the code incorrectly checked whether msg.sender (the actual caller) was equal to the op.sender parameter provided by the user himself. Since op.sender is a user-controllable input parameter, attackers can forge identities at will, bypass permission verification, and perform WITHDRAW_INTERNAL (internal withdrawals…