Balancer exploited for nearly $900,000 following vulnerability alert

On August 27, only days after exposing a vulnerability that impacted numerous pools, the Ethereum automated market maker and decentralized finance protocol Balancer reported on X (previously Twitter) that it had been exploited for over $900,000.

This breach occurred less than a week after the team announced a “critical vulnerability.” In order to mitigate the risk, the Balancer team requested on August 22 that the exchange’s liquidity providers (LPs) remove money from vulnerable pools.

It was confirmed by the Balancer team that they are “aware of an exploit related to the vulnerability.”

Blockchain security specialist Meier Dolev has released an Ethereum address that is believed to belong to the attacker. After the vulnerability was discovered, the address got two payments of $636,812 and $257,527 in Dai stablecoin, increasing the total to approximately $893,978.

On August 22, Balancer announced a major vulnerability impacting its boosted pools, advising users to remove cash from liquidity providers (LPs) and halting pools until the issue was resolved. Blockchains such as Ethereum, Polygon, Arbitrum, Optimism, Avalanche, Gnosis, Fantom, and zkEVM all have assets at danger.

Only 1.4% of its overall assets were at danger on the day the vulnerability was discovered, but that was still over $5 million. At least $2.8 million (or 0.42 percent of the overall value) was at danger as of August 24.

According to a tweet by blockchain security company Beosin, the hack included “multiple flash loan attacks.” A flash loan attack is when a hacker borrows a significant sum of cryptocurrency from a DeFi platform, then immediately utilizes that cryptocurrency to steal from the affected pools and repays the loan.