Update November 3, 9:47 UTC: This article has been updated to include the latest data, Balancer’s white hat reward offer, and comments from Nicolai Sondergaard, research analyst at Nansen.
Update November 3, 9:21 UTC: This article has been updated to include a section regarding the 2020 Balancer flash loan attack.
Balancer’s decentralized exchange (DEX) and automated market maker (AMM) were used, resulting in over $116 million worth of digital assets being transferred to a newly created wallet.
“We are aware of a potential exploit affecting Balancer v2 pools. Our engineering and security teams are investigating the matter with the highest priority,” the Balancer team said in Monday’s X release. postadding that it will provide more updates as information becomes available.
Onchain data initially showed that the decentralized finance (DeFi) protocol was used to obtain $70.9 million worth of liquid Ether (ETH) tokens transferred to a recent wallet in three transactions. According to to Etherscan logs.
The transfers included 6,850 StakeWise Staked ETH (OSETH), 6,590 Wrapped Ether (WETH) and 4,260 Lido wstETH (wSTETH), crypto intelligence platform Nansen said on Monday post.
By 8:52 UTC on Monday, the amount of stolen funds had risen to over $116.6 million, According to to post X on the Lookonchain blockchain data platform.
The Balancer exploit may stem from issues with sharp contracts where “faulty access control allowed the attacker to send a command to withdraw funds,” Nicolai Sondergaard, a research analyst at Nansen, told Cointelegraph, adding:
“From what I see, losses are now over $100 million and have affected Balancer v2 + various forks.”
Related: CZ raises alarm when ‘SEAL’ team discovers 60 phony IT workers with ties to North Korea
Balancer offers a 20% white hat cashback reward
In an effort to recover the funds, the team behind Balancer has offered a white hat reward of up to 20% of the stolen funds if the entire amount minus the reward is immediately returned.
If the funds are not returned within the next 48 hours, Balancer said it will continue to work with blockchain forensics experts and law enforcement to identify the perpetrator.
“Our partners have high confidence that you will be identified based on access log metadata collected by our infrastructure, indicating connections from a defined set of IP addresses/ASNs and associated entry timestamps that correlate with on-chain transaction activity.” he said Balancer in blockchain trading note on Monday.
Two years ago, Balancer suffered a domain name system (DNS) attack on its website, a protocol revealed then. Hackers redirected site users to a phishing site linked to malicious sharp contracts designed to steal users’ funds.
Approximately $238,000 worth of digital assets were stolen during the phishing attack According to to blockchain detective ZachXBT.
In August 2023, Balancer too he suffered nearly $1 million worth of exploit on Stalcoin, just a week after the protocol disclosed a “critical vulnerability” related to some of its liquidity pools.
In June 2020, the Balancer system was breached, extorting $500,000 worth of ether and other tokens in a Statera Deflationary Token (STA) flash loan attack, in which 1% of each transaction is automatically burned.
This is a developing story and more information will be added as it becomes available.
Warehouse: Coinbase hack shows the law probably won’t protect you – here’s why
