Balancer Exploited for $128 Million Across Ethereum Chains as Berachain Halts Network

Automated cryptocurrency market maker Balancer suffered a major exploit on Monday that resulted in an estimated $128 million worth of digital assets being stolen across multiple blockchains. As a result, the emerging network Berachain has forcibly stopped its blockchain and proof of a hard fork to solve the problem.

Balancer offers its services in several chains, including ethereumArbitrum and Base – and everyone who used Balancer V2 were vulnerable to the attack. On top of that, many protocols have used its code base to build their products, which also suffer from the same vulnerability.

The exploit likely came as a result of a “small precision/rounding error” found in the Balancer V2 liquidity pools, the on-chain analysis company. Nansen said Decrypt. The attacker pushed the pools towards that rounding error via multiple exchanges in a single transaction. That led to the Balancer Pool Tokenwhich represents the property in the Balancer liquidity pools, being undervalued by the liquidity pool.

“With the price of BPT depressed, the attacker traded or minted BPT at that deflated value. They immediately converted those (underpriced) BPT into underlying assets and then into ETH, pocketing the difference,” Nansen Research Analyst Nicolai Sondergaard said. Decrypt.

Cyvers security experts and PeckShield both estimate the total losses to be worth about $128 million. Nansen estimated the figure to be closer to $100 million, a figure that is falling as token prices drop. wider market dive. The stolen funds were then sent to several different addresses and exchanged on decentralized exchanges.

Balancer has recognized the exploit and confirmed that the problem is isolated to Balancer V2 Composable Stable Pools specifically-meaning V3 pools remain unaffected. The project is now working with “leading security researchers“To create a complete postmortem on the incident. Balancer’s BAL token fell more than 11% on the day to a market capitalization of $56 million, according to the CoinGecko.

“[It’s] “The worst is probably behind us at this point, as it doesn’t look like the exploiter is withdrawing any more funds,” Sondergaard said.

Bera stopped in his tracks

As a result of the attack, the Berachain validators have coordinated to stop the blockchain, with plans to perform an emergency hard fork to return the chain to its state before the exploitation.

This is because Berachain’s native decentralized exchange is built on the same vulnerable code base as Balancer V2, Cyvers said. Decrypt. That explains why Berachain was hit so hard, with one estimate $12.86 million in losses.

“Since it affected non-native assets (not just BERA), the rollback/rollforward involves more than a simple hard fork,” the Berachain Foundation announced. he saidexplaining why the blockchain has been halted in the meantime.

This move is very happy among crypto-natives who believe in the immutability of blockchains. For many die-hard crypto believers, forking a chain and canceling transactions goes against everything crypto stands for.

Ethereum famously regained its blockchain via a hard fork after the famous 2016 hack of the DAOwhich led to $50 million in ETH being stolen – an amount that represented a significant amount of the total supply at the time. The controversial hard fork has divided the community, with those against the split staying with the original chain in what is now called Ethereum Classic.

“I’m sure some will not be happyut this, and we recognize that this could be seen as a controversial decision”, Berachain founder pseudonym and CSO Smokey the Bera, wrote about X. “Users and LPs on the network are always our priority and when about $12 million of user funds are at risk from a malicious attack, we tried to coordinate the set of validators to protect those users.”

“The goal is to get the funds back ASAP and make sure all the LPs are safe,” Smokey added.

Berachain’s token is also down nearly 10% on the day to a market capitalization of $211 million, according to CoinGecko.