- Over $128.6 million in assets, including WETH, osETH, and wstETH, were drained from Balancer V2 pools across Ethereum, Polygon, and Arbitrum on November 3, 2025.
- The exploit leveraged a state-write reentrancy vulnerability in the V2 Vault-to-Pool system, allowing attackers to corrupt internal balances and perform unauthorized withdrawals.
- Integrated protocols such as Berachain responded with emergency hard forks to contain the exploit’s spread across Balancer forks.
The decentralized finance (DeFi) protocol Balancer is investigating a multi-chain security exploit that drained over $128.6 million from its V2 liquidity pools on Monday. The breach exploited a flaw in the Vault-to-Pool callback mechanism, allowing attackers to manipulate internal balances and withdraw assets across Ethereum, Polygon, and Arbitrum.
Prior to the incident, Balancer, an automated market maker (AMM) known for its customizable liquidity pools, held more than $750 million in total value locked (TVL). This event, now dubbed the Balancer DeFi Hack, marks one of the largest on-chain security breaches of 2025.
Vulnerability in Balancer’s V2 Architecture
The attack targeted a state-write reentrancy vulnerability in Balancer’s V2 architecture, particularly within its singleton Vault design. According to blockchain security firm Zealynx, the issue stemmed from a “cross-contract trust boundary” that made the exploit “architecturally inevitable” under extreme liquidity conditions.
The attackers executed a complex batchSwap operation to exploit incorrect invariant calculations in the _calcInGivenOut function, a flaw affecting stable pools that rely on precision-based token scaling. The manipulation led to deflated Balancer Pool Token (BPT) prices and allowed systematic withdrawal of high-value assets, including 6,587 WETH, 6,851 osETH, and 36,850 wstETH, across multiple EVM-compatible networks.
Industry and Protocol Response
Balancer’s official X account confirmed the exploit Monday, stating that its “engineering and security teams are investigating potential V2 pool vulnerabilities.” The project urged users to revoke approvals and withdraw liquidity from affected pools while blocking phishing attempts circulating through community channels.
The Berachain network, which operates Balancer-based forks such as BEX, initiated an emergency hard fork to isolate the vulnerability and prevent contagion. Yield aggregator YO confirmed its funds were safe and that exposure through its autoETH vault had been fully exited.
Analyst Francesco Andreoli urged users to “Withdraw immediately and revoke token approvals” as a precautionary measure. Suhail Kakar, a DeFi researcher, noted that despite the protocol’s extensive security history, including “10+ independent audits,” the incident reveals the persistent risk of composability in DeFi systems.
Chain Street’s Take
If DeFi protocols continue to evolve through stacked integrations and recursive logic, how can smart contracts ever be considered “secure”? Are audit certifications losing credibility as exploit complexity outpaces testing standards? And as Balancer prepares a post-mortem, will this breach prompt the industry to rethink the architecture of shared Vault systems entirely?
