Balancer Exploit Raises Doubts About Smart Contract Audits

Over $100 Million Lost in DeFi Breach

Decentralized platform and automated market maker Balancer suffered a major exploit on Monday, with more than $100 million in digital assets drained from its V2 Composable Stable Pools. The team said in a post on X that the breach was “isolated” to the V2 pools and did not affect Balancer V3 or any other liquidity pools.

Balancer said its contracts had undergone “extensive auditing by top firms” and that bug bounties had been running “for a long time to incentivize independent auditors.” The scale of the theft has reignited debate over whether smart contract audits can effectively prevent vulnerabilities in decentralized finance.

Audited but Still Compromised

Developer Suhail Kakar, a blockchain engineer at TAC, questioned the effectiveness of DeFi auditing standards. “Balancer went through 10+ audits,” he wrote on X. “The vault was audited three separate times by diverse firms and still got hacked for $110 million. This space needs to accept that ‘audited by X’ means almost nothing. Code is hard, DeFi is harder.”

According to Balancer’s GitHub repository, four security companies — OpenZeppelin, Trail of Bits, Certora, and ABDK — conducted a total of 11 audits on its smart contracts. The most recent review, by Trail of Bits, was completed in September 2022 and focused on Balancer’s stable pool implementation.

OpenZeppelin did not respond to Cointelegraph’s request for comment. A spokesperson for Trail of Bits said the firm would not discuss the incident “until the root cause is identified and all Balancer forks are secure.”

Investor Takeaway

How the Attack Unfolded

Blockchain analytics showed that roughly $116 million worth of assets — including StakeWise Staked ETH (OSETH), Wrapped Ether (WETH), and Lido wstETH (wSTETH) — were transferred to a newly created wallet during the attack. A research analyst at Nansen told Cointelegraph that the exploit likely stemmed from a “faulty access check” that allowed the attacker to issue unauthorized withdrawal commands from Balancer’s vault contract.

Balancer said it was working with independent blockchain forensics teams and law enforcement agencies to track the funds. No further technical details were released as investigators continued to analyze the vulnerability.

Balancer Offers 20% Bounty to Hacker

In an on-chain message to the attacker, Balancer offered a white hat bounty worth 20% of the stolen assets if the funds were returned within 48 hours. “If you choose not to cooperate, we have engaged independent blockchain forensics specialists and are actively cooperating with multiple law-enforcement agencies and regulatory partners,” the message read.

As of publication, Balancer had not issued any updates on whether the hacker responded or if any portion of the funds had been recovered. Similar bounty offers in previous DeFi exploits have occasionally led to partial or full restitution, though most attackers have opted to retain stolen assets.

Investor Takeaway

Wider Implications for DeFi Security

The breach adds to a series of DeFi security lapses in 2025 that have collectively cost users more than $1.2 billion, according to data from DefiLlama. The attack follows similar exploits targeting Curve Finance and Arcadia Finance earlier this year. Despite industrywide calls for improved standards, the Balancer case shows that even mature protocols with multiple audit rounds remain at risk.

Balancer’s V3 version, launched earlier this year, was unaffected by the exploit, offering some reassurance to liquidity providers. But the loss will likely renew scrutiny from both investors and regulators over whether decentralized platforms can securely scale without centralized oversight.