Balancer Exploit: $128M Loss, Berachain Hard Fork

The security breach that rocked the DeFi world originated from what on-chain analytics firm Nansen described as a “tiny precision/rounding error” in Balancer V2’s Composable Stable Pools. This seemingly minor vulnerability allowed attackers to manipulate the system through sophisticated transaction patterns, specifically by executing multiple swaps within a single transaction to push liquidity pools toward the critical rounding error. The attack vector affected all blockchains where Balancer V2 was deployed, including Ethereum, Arbitrum, and Base networks, demonstrating how a single code vulnerability can have multi-chain consequences.

According to Nansen Research Analyst Nicolai Sondergaard, the exploit mechanism involved depressing the price of Balancer Pool Tokens (BPT), which represent ownership in Balancer liquidity pools. “With the BPT price depressed, the attacker swapped into or minted BPT at that deflated value,” Sondergaard explained. “They immediately converted those underpriced BPT back into underlying assets and then into ETH, pocketing the difference.” This arbitrage-like attack allowed the exploiter to systematically drain value from affected pools while leaving the protocol’s V3 pools untouched.

The scale of the attack became apparent as security firms Cyvers and PeckShield both estimated total losses at approximately $128 million, while Nansen’s assessment placed the figure closer to $100 million, with the final amount fluctuating due to declining token prices amid broader market conditions. The stolen funds were subsequently routed through multiple addresses and swapped on various decentralized exchanges, complicating recovery efforts and highlighting the challenges of tracking stolen assets across the decentralized ecosystem.

The exploit’s ripple effects hit emerging network Berachain particularly hard, with an estimated $12.86 million in losses forcing the project to take extreme measures. Berachain validators coordinated to completely halt the blockchain, with plans to perform an emergency hard fork that would roll back the chain to its state before the exploit occurred. This drastic response was necessary because, as security firm Cyvers confirmed, Berachain’s native decentralized exchange was built upon the same vulnerable codebase as Balancer V2, making it susceptible to the same attack vector.

The Berachain Foundation acknowledged the complexity of their response in an official announcement, stating: “Given that it affected non-native assets (not just BERA), the rollback/rollforward involves more than a simple hard fork.” This explanation underscores why the blockchain required complete halting rather than a simple patch, as the exploit impacted multiple asset types across the ecosystem. The foundation’s priority, according to pseudonymous Berachain founder and CSO Smokey the Bera, was protecting users and liquidity providers facing approximately $12 million in risk from the malicious attacker.

Smokey the Bera addressed the contentious nature of the decision on social media platform X, writing: “I’m sure that some won’t be happy about this, and we recognize that this could be seen as a contentious decision. Users and LPs on the network are always our priority and when approximately $12 million of user funds are at risk from a malicious attacker, we attempted to coordinate the validator set to protect those users.” The founder emphasized that the primary goal was to “recover funds ASAP and ensure that all LPs are safe,” placing user protection above ideological purity.

The immediate market reaction to the exploit was severe, with Balancer’s native BAL token dropping more than 11% to a $56 million market capitalization, according to CoinGecko data. Similarly, Berachain’s BERA token suffered nearly a 10% decline, falling to a $211 million market cap as investors reacted to both the exploit itself and the controversial decision to hard fork. Despite the significant losses, Nansen’s Sondergaard offered some reassurance, noting that “it’s likely the worst is behind at this point, as it does not seem like the exploiter is withdrawing any more funds.”

The decision to hard fork Berachain echoes Ethereum’s famous 2016 response to The DAO hack, which saw $50 million in ETH stolen—a substantial portion of the total supply at the time. That controversial hard fork created a permanent schism in the Ethereum community, with opponents of the rollback maintaining the original chain as Ethereum Classic. The philosophical divide centers on whether blockchain immutability should be absolute or whether exceptional circumstances warrant intervention to protect users, a debate that the Balancer exploit has now reignited.

Balancer has officially acknowledged the exploit and confirmed that the vulnerability was isolated to Balancer V2 Composable Stable Pools specifically. The project is now collaborating with “leading security researchers” to produce a comprehensive postmortem analysis of the incident. This transparency, while necessary for rebuilding trust, comes amid growing concerns about codebase reuse in DeFi, as the incident revealed that “many protocols have used its codebase to build their own products, which also suffer from the same vulnerability,” creating potential systemic risks across the ecosystem.