Balancer Discloses Critical Vulnerability Affecting Its V2 Pools

Table of Contents

• Critical Vulnerability Discovered 
• Funds Remain Safe 
• Balancer’s Native Token Registers Significant Drop 
• The Curve Hack

Liquidity protocol Balancer has disclosed that it has discovered a critical vulnerability that has impacted over 100 of its v2 pools spread across eight different blockchains. 

The team at Balancer has posted a list of the impacted pools on its GitHub page while also activating its emergency subDAO. 

Critical Vulnerability Discovered 

Balancer announced the discovery of the vulnerability in a post on X (formerly Twitter), stating that it had initiated emergency mitigation features. The protocol also urged users to withdraw funds from the impacted pools. 

“Balancer has received a critical vulnerability report affecting a number of V2 Pools. Emergency mitigation procedures have been executed to secure a majority of TVL, but some funds remain at risk. Users are advised to withdraw affected LPs immediately.”

The protocol stated that the issue had been mitigated in about 80% of the impacted pools. Meanwhile, the remaining 20% of the impacted pools represented around 4% of Balancer’s total value locked (TVL). Balancer stated in its forum, 

“Balancer Labs received a report of a critical vulnerability affecting a number of pools. We were able to mitigate over 80% of these; the remaining funds at risk represent about 4% of Balancer TVL.”

Funds Remain Safe 

The protocol also assured users that, at this point, the vulnerability had not been exploited, and all funds remained safe. Balancer added that pools labeled mitigated were safe but still urged users to migrate to safe pools or withdraw for the time being. The team also urged liquidity providers to exit their positions from impacted pools immediately. Jeff Bennett, a software engineer at Balancer Labs, said in a post, 

“We believe funds in the mitigated pools (labeled ‘mitigated’) are safe, but nevertheless strongly recommend timely migration to safe pools or withdrawal. Pools that could not be mitigated are labeled ‘at risk.’ If you are [a liquidity provider] in any of these pools, please exit immediately.”

Users have heeded the warnings from the protocol following the discovery of the vulnerability. As a result of users withdrawing liquidity, the protocol’s total value locked dropped by nearly $100 million amidst the rush of withdrawals. Balancer has also stated that it would be conducting a thorough post-mortem of the vulnerability and would publish details about it and how it was addressed soon. 

This is not the first time Balancer has asked users to pull liquidity from its pools. In January, the protocol had advised liquidity providers to pull liquidity citing “ongoing issues. 

Balancer’s Native Token Registers Significant Drop 

The unfolding situation unsurprisingly had an immediate impact on the market. As a result of the discovery of the vulnerability, Balancer’s native BAL token registered a drop of over 4%. However, the value has recovered with the protocol moving swiftly to mitigate the vulnerability and communicate with users. Currently, the token is trading at around $3.51, according to data from CoinMarketCap. 

Meanwhile, Spencer Hughes, a Blockworks Research Analyst, observed that the discovery of the Balancer vulnerability demonstrated the fact that smart contract audits cannot guarantee complete safety. However, he added that these audits never claimed to be a hundred percent foolproof. 

“With ~$830M TVL, a Balancer exploit would have left one of the most prominent DEXs for dead. Emergency SubDAOs are definitely very important for all DeFi protocols, and it is great that they were able to act before anything malicious could occur.”

The Curve Hack

While Balancer has moved fast to mitigate any potential damage, the DeFi space has been reeling from a spate of exploits. Recently, an exploit in the Curve Finance platform put over $100 million in crypto at risk, significantly amplifying concerns around the decentralized finance (DeFi) ecosystem. At the heart of the exploit was a re-entrancy bug that was found in Vyper, a programming language critical to Curve’s system.

The vulnerability allowed hackers to drain several stablecoin pools on Curve, leading to a significant disruption of the price and liquidity of several DeFi services. Other major exploits in the DeFi space include the Ronin exploit, which saw the Ronin Network lose a staggering $622 million. The exploit was a result of a breach in the Ethereum sidechain. BadgerDAO also fell victim to hackers, losing around $80 million to hackers.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.