Today, Web3 cybersecurity firm Beosin reported an update on the August 27 hack of Balancer. According to the latest estimate, the protocol, which offers a self-balancing portfolio for crypto users, lost nearly $2.1 million to the exploit of the vulnerability, which was first reported by the project’s team on August 22.
Two days ago, Beosin detected multiple flashloan attacks on the protocol that caused $870,000 in initial damage. Flashloan attacks, which allow attackers to borrow significant amounts of money without collateral and manipulate cryptocurrency prices for profit, exploited the vulnerability in the Balancer protocol despite the team’s efforts to mitigate the risks.
Shortly after the vulnerability was detected, Balancer’s developers managed to reduce the amount of unsecured TVL (the total value locked in the protocol) to less than 1%.
On August 25, when the malicious actor still failed to perform an attack, Balancer’s team shared a new update with its X community (formerly Twitter) claiming that "over 99.7% of the liquidity that was originally considered vulnerable is now SAFE."
According to Balancer’s calculations, the remaining amount of TVL accounted for nearly $565,199. The team urged users of the vulnerable liquidity pools to withdraw their funds as soon as possible.
Unfortunately, securing the vulnerable assets presented some challenges, and within two days Balancer was exploited. It is also clear that there is a discrepancy in the amount of finances reported by Beosin and Balancer. Unless Beosin’s cybersecurity analysts made a mistake, either the attack also affected pools that were supposed to be secured, or Balancer did not provide accurate statistics.
Another on-chain analytics firm, PeckShield, also reported losses of more than $2.1 million. PeckShiled acknowledged that Balancer "did a great job in alerting the community to remove liquidity from affected vaults," but the cybersecurity specialists believe that "the original estimate of 'only 0.08% of total TVL ($565,199) remains at risk' seems to be seriously miscalculated."
PeckShield shared with its X followers four wallet addresses used in the theft of DAI and staked FTM (sFTMX) tokens from Balancer’s pools. The wallet with the largest loot received DAI worth nearly $979,000 at press time. Others received DAI worth $218,000 and $595,000, respectively, while the loot in sFTMX amounted to $303,000.
To help its customers withdraw their money from the affected pools, Balancer posted detailed instructions on its official website. The team warned its users about the possible need "to withdraw several times if they are liquidity providers in a pool with nested pool tokens."
Interestingly, fraudsters had already exploited the news about the vulnerability in Balancer before the attack. After the team disclosed the technical issue, malicious actors used fake accounts to impersonate the protocol’s X profile and promote phishing links to redirect crypto users to "a compensatory BAL [the Balancer token] distribution."
Now that Balancer has indeed been hacked, its users should be particularly vigilant to avoid interactions with any websites promising financial compensation from the protocol.