tokenFeed Logo
TokenFeed
Login
tokenFeed Logo
TokenFeed
LoginSign up
All articlesEventsListingsMemesVideos

$116M Balancer Hack: Insiders Suspect a “Sophisticated” Attacker After Months of Preparation

$116M Balancer Hack: Insiders Suspect a “Sophisticated” Attacker After Months of Preparation
$116M Balancer Hack: Insiders Suspect a “Sophisticated” Attacker After Months of Preparation

The decentralized finance (DeFi) ecosystem is once again grappling with a major security breach after Balancer, one of Ethereum’s leading automated market makers, suffered a devastating $116 million exploit.

Blockchain investigators are now pointing to signs that the attacker may have been preparing for months, with potential insider coordination not being ruled out.

The breach, which targeted multiple Balancer liquidity pools, stands as one of 2025’s largest DeFi exploits, reigniting questions about security, governance, and the growing sophistication of blockchain-based attacks.

Months in the Making: How the Balancer Exploit Unfolded

According to early on-chain data shared by PeckShield and Cyvers Alerts, the Balancer attacker executed a complex, multi-transaction exploit involving flash loans, cross-chain transfers, and manipulation of pool configurations.

The initial breach occurred late Monday, with funds drained across several Ethereum and Arbitrum pools.

Within minutes, the attacker had siphoned off $116 million worth of assets, including Ether (ETH), Wrapped Bitcoin (WBTC), and various stablecoins.

However, what has alarmed analysts most isn’t the magnitude of the loss; it’s the meticulous preparation.

“The attacker wasn’t acting impulsively. This was a carefully architected operation, likely researched for months,”

said blockchain analyst Serena Li from BlockSec in an interview with Cointelegraph.

On-chain traces suggest the perpetrator created dozens of dummy addresses, funded through privacy-enhancing tools and mixer networks weeks before the actual attack.

Each wallet played a unique role, from routing transactions to laundering proceeds through decentralized exchanges and bridges.

Balancer Confirms the Exploit: Emergency Measures Activated

Shortly after the attack, Balancer Labs confirmed the exploit via an X (formerly Twitter) post, urging users to withdraw liquidity from affected pools immediately.

“We are aware of a critical exploit impacting multiple Balancer pools. Emergency mitigation is underway. Users are advised to remove liquidity from impacted pools as soon as possible,” the team announced.

Balancer paused pool creation functions and initiated its emergency subDAO governance process to assess the extent of the damage and coordinate response efforts.

Despite the swift action, most of the stolen funds had already been moved beyond immediate recovery.

Blockchain security firm CertiK later confirmed that the majority of funds were routed through Tornado Cash and subsequently bridged to unknown addresses, complicating recovery efforts.

Insider Involvement? Investigators Split on Theory

While Balancer Labs has not publicly confirmed insider involvement, several cybersecurity researchers have suggested that the attack may have required internal-level understanding of Balancer’s pool mechanics.

“The timing, depth of knowledge, and exploit vector used suggest possible insider collaboration or at least privileged information leaks,”

said Aakarshit Srivastava, a smart contract auditor at Halborn Security.

According to Srivastava, the attacker demonstrated an “unusually intimate familiarity” with Balancer’s contract logic, particularly how the platform handles liquidity rebalancing and flash-loan executions.

DeFi sleuth @ZachXBT also noted suspicious wallet activity tied to older Balancer governance participants.

While no direct links have been confirmed, some addresses associated with the exploit had previously interacted with Balancer DAO voting proposals, adding fuel to insider speculation.

A Familiar Pattern: Echoes of the Curve Finance Hack

The Balancer incident bears striking similarities to the Curve Finance exploit from July 2023, which also involved reentrancy vulnerabilities and liquidity pool manipulation.

In both cases, attackers leveraged DeFi composability, exploiting interconnected smart contracts across multiple protocols to amplify their reach.

“DeFi’s greatest strength composability can also be its greatest weakness,” said Li.

“Each interlinked contract expands the attack surface, allowing one weak link to compromise the entire chain of dependencies.”

Unlike Curve, however, Balancer’s exploit appeared to involve cross-chain orchestration, with transactions spanning Ethereum, Arbitrum, and Base networks, signaling the attacker’s mastery of multi-network liquidity dynamics.

Forensic Traces: How the Hacker Moved the Money

Investigators have since tracked the attacker’s laundering trail:

  • Roughly 38% of stolen funds were bridged to Arbitrum and Base within two hours of the hack.

  • Another $41 million was converted to ETH and staked through liquid-staking protocols.

  • The rest was funneled through privacy mixers like Tornado Cash and cross-chain bridges using obscure relayers.

By early Wednesday, blockchain intelligence firm Arkham identified several wallet clusters showing consistent “fingerprints” with previous exploits linked to North Korea’s Lazarus Group, though no official confirmation has been made.

Balancer DAO and the Community React

Within hours, Balancer’s governance forums were flooded with emergency proposals calling for tighter multi-sig controls, post-incident audits, and reparations for affected users.

Balancer’s co-founder, Fernando Martinelli, called the event “a brutal reminder” of the risks inherent in DeFi’s open architecture.

“We’ve always known that decentralization comes with exposure.

What matters now is transparency, accountability, and rebuilding trust not just for Balancer, but for the broader DeFi ecosystem,” Martinelli stated in a Discord AMA.

Meanwhile, users have reported temporary liquidity issues across several Balancer-integrated platforms, including Beethoven X and AURA Finance, though no secondary breaches have been confirmed.

DeFi Under Siege: $3B Lost in 2025 Alone

The Balancer hack adds to an already grim year for decentralized finance.

According to DefiLlama, more than $3 billion has been lost to protocol exploits in 2025, surpassing 2024’s total by nearly 40%.

Experts attribute this rise to the increasing complexity of cross-chain protocols, combined with the arms race in smart contract automation.

“Attackers today behave more like professional red teams than opportunistic hackers,”

said Nadia Lin, Chief Security Officer at SlowMist.

“They conduct months of reconnaissance, exploit-chain modeling, and infrastructure testing and execute when the conditions are perfect.”

What Happens Next: Recovery and Rebuilding

Balancer Labs has since confirmed that it is working with law enforcement, chain analytics firms, and white-hat groups to trace the funds.

The protocol’s Emergency DAO has also been granted temporary enhanced powers to mitigate further risks and issue user compensations where possible.

In a post-incident statement, Balancer said:

“We are committed to full transparency and user recovery. While this is a deeply painful moment, we are taking every step to ensure Balancer emerges stronger and more resilient.”

A bounty proposal offering up to 10% of the recovered funds has been floated to encourage the hacker to return part of the stolen assets.

Similar approaches have been successful in past exploits, including the Euler Finance and Poly Network hacks.

A Pivotal Moment for DeFi Security

The Balancer exploit serves as another wake-up call for the DeFi industry, one that highlights how innovation continues to outpace security readiness.

With institutional capital increasingly entering DeFi markets, vulnerabilities like these not only erode user confidence but also invite regulatory scrutiny.

Analysts predict renewed calls for real-time risk monitoring, insurance layers, and protocol-level security audits as standard infrastructure.

“DeFi can’t afford to keep learning lessons the hard way,”

said Halborn’s Srivastava.

“If Balancer, one of the space’s most audited protocols, can be breached this deeply, every project must re-evaluate its security stack.”

The Road Ahead

As investigations continue, DeFi users are once again reminded of the importance of vigilance, risk management, and diversified exposure.

While Balancer’s swift response has helped contain further contagion, the incident marks yet another chapter in DeFi’s ongoing struggle between innovation and vulnerability.

For now, Balancer’s community remains cautiously optimistic.

Whether the hacker returns part of the funds or remains elusive, one thing is clear: the attack will reshape how DeFi protocols approach security, transparency, and trust in 2025 and beyond.