Balancer’s $128M Hack: DeFi Trust Shattered Despite 11 Audits
Balancer, a prominent and historically reliable DeFi protocol, suffered a devastating $128 million hack on November 3, 2023, despite undergoing over ten security audits. The exploit, affecting Balancer and its forks across multiple chains, saw approximately $100 million drained from Ethereum and $12.9 million from Berachain, among others. This incident caused Balancer's Total Value Locked (TVL) to plummet by 46%, from $770 million to $422 million, severely eroding investor confidence.
Forensics revealed the attacker manipulated Balancer Pool Token (BPT) price calculations during batch swaps, distorting internal price feeds to withdraw assets before the system could correct itself. Improper authorization and callback handling facilitated rapid draining across interconnected pools. Balancer's composable vault architecture, usually a benefit, amplified the damage by allowing the distortion to ripple widely. The sophistication of the attack, including funding via Tornado Cash, suggested an experienced hacker.
This hack triggered a significant “trust collapse” in DeFi, challenging the long-held belief that longevity and numerous audits guarantee safety. Industry experts highlighted that even mathematically sound systems can harbor unforeseen vulnerabilities, and smart contract risk remains pervasive. The incident underscored the paradox of DeFi composability: while it drives innovation, it also amplifies systemic risk, as a failure in a core protocol can cascade through dependent networks. This event reversed a period of low DeFi hack losses, surging November's figures past $120 million.
The lack of traditional finance's robust coordination mechanisms means crisis management in DeFi relies heavily on developers and auditors, often in real-time. This emphasizes the urgent need for better risk management infrastructure. Beyond financial losses, the damage to institutional investor trust is substantial, signaling that decentralized markets are still experimental. The failure of multiple audits to prevent such a major breach further erodes confidence, confirming that “audited by X” is not infallible. This incident is expected to accelerate regulatory efforts globally as policymakers grapple with the growing risks in the interconnected crypto and traditional financial industries.
(Source: https://cryptoslate.com/how-11-audits-couldnt-stop-balancers-128-million-hack-redefining-defi-risks/)


