Written by: ChandlerZ, Foresight News
The DeFi world has once again been thrown into the eye of the storm.
Multiple projects based on the Balancer V2 architecture suffered a meticulously planned attack on November 3, with cumulative losses exceeding $120 million. This incident not only affected the Ethereum mainnet but also spread to Arbitrum, Sonic, Berachain, and other chains, becoming another industry-shaking security incident following the Euler Finance and Curve Finance events.
BlockSec's preliminary analysis indicated that this was a "high-complexity price manipulation attack," with the core being that the attacker distorted the BPT (Balancer Pool Token) price calculation logic, exploiting rounding errors in the invariant to create price distortion, thereby repeatedly arbitraging in a single batch swap.
Taking the attack transaction on Arbitrum as an example, the attack was divided into three stages:
-
The attacker first exchanged BPT for the underlying asset, precisely adjusting the cbETH balance to the rounding boundary (about 9 units), creating conditions for subsequent precision loss;
-
Next, a specific amount (=8) was swapped between another underlying asset wstETH and cbETH. Due to downward rounding during scaling, the calculated Δx was slightly reduced, causing Δy to be underestimated, which led to a decrease in the stable pool invariant D, thereby depressing the theoretical price of BPT;
-
Finally, the attacker swapped the underlying asset back to BPT, profiting from the artificially depressed price.
In short, this was a precision strike at the boundaries of mathematics and code.
Balancer officially confirmed that V2 Composable Stable Pools suffered from a vulnerability attack. The team is currently working with top security researchers to investigate and has promised to share a complete post-mortem analysis as soon as possible. All affected pools that can be paused have been urgently frozen and entered recovery mode. The impact of this vulnerability is limited to V2 Composable Stable Pools and does not affect Balancer V3 or other pool types.
After the Balancer V2 vulnerability incident broke out, projects that forked Balancer experienced severe turbulence. According to DeFiLlama data, as of November 4, the total value locked in related projects was only about $49.34 million, a 22.88% drop in a single day. Among them, BEX, the native DEX of Berachain, saw its TVL drop 26.4% to $40.27 million, still accounting for 81.6% of the entire ecosystem. However, due to on-chain shutdowns and liquidity freezes, capital outflows continue. Another victim, Beets DEX, performed even worse, with TVL plummeting 75.85% in 24 hours and a cumulative 79% drop over the past 7 days.
In addition to the above protocols, other DEXs based on the Balancer architecture also saw panic withdrawals. PHUX dropped 26.8% in one day, Jellyverse fell 15.5%, and Gaming DEX crashed 89.3%, with liquidity almost completely wiped out. Even small and medium-sized projects that were not directly affected, such as KLEX Finance, Value Liquid, and Sobal, generally recorded capital outflows of 5%–20%.
Chain Reactions Begin to Emerge, Berachain Initiates Emergency Hard Fork
This vulnerability originating from Balancer V2 quickly triggered even larger chain reactions.
Berachain, an emerging public chain built on Cosmos SDK, also suffered a hacker attack within hours because BEX adopted the same Balancer V2 contract architecture. The foundation quickly announced a "full chain shutdown" after detecting anomalies.
Reportedly, BEX's USDe Tripool and other liquidity pool assets were threatened, with affected funds totaling about $12 million. Attackers exploited the same logical vulnerability as Balancer, stealing funds through multiple smart contract interactions. Since some assets were non-native tokens, the team had to use a hard fork to roll back certain blocks for recovery and tracking.
At the same time, several protocols in the Berachain ecosystem, including Ethena, Relay, HONEY, and others, also took defensive measures:
-
Prohibited USDe cross-chain transfers;
-
Suspended deposits related to the lending market;
-
Stopped minting and redemption of HONEY;
-
Notified centralized exchanges to blacklist suspicious addresses.
The Berachain Foundation stated that this network pause was planned, and the network will resume normal operations soon. The Balancer vulnerability mainly affected the Ethena/Honey three-pool, caused by relatively complex smart contract transactions. Since the vulnerability affected non-native assets (not just BERA), the rollback/rollforward process is not a simple hard fork, so the network will be paused until a comprehensive solution is determined.
On November 4, the Berachain Foundation said that the hard fork binary had been distributed and some validator nodes had been upgraded. Before going back online and generating blocks again, they want to ensure that the core infrastructure partners required for on-chain operations (such as liquidation oracles) have updated their RPCs, as these are the main obstacles to resuming on-chain operations. After completing the core services' RPC requests, the team will coordinate with cross-chain bridges, CEX partners, custodians, and others to restore services.
Meanwhile, a Berachain MEV bot operator contacted the foundation after the chain was paused, claiming to have acted as a "white hat" to extract funds and sent an on-chain message. They expressed willingness to pre-sign a series of transactions to return the funds after the blockchain goes back online.
Security First or Decentralization?
"We know this is controversial, but when about $12 million in user assets are at risk, protecting users is the only choice." Berachain co-founder Smokey The Bera said in response to community concerns about "centralization."
He admitted in his statement that Berachain has not yet reached Ethereum-level decentralization, and the coordination mechanism among validators is more like a "crisis command center" than an automated consensus network. In reality, on-chain nodes shut down synchronously within less than an hour of the vulnerability appearing, demonstrating the efficiency of centralized decision-making but also exposing the degree of centralization in governance.
The community reaction quickly split.
Supporters believe this move demonstrates the team's sense of responsibility for user safety and is "realistic decentralization"; opponents accuse it of violating the "Code is Law" principle and being a blatant betrayal of on-chain irreversibility.
On-chain detective ZachXBT commented, "When user funds are in imminent danger, this is a difficult but correct decision."
But some radical developers bluntly stated: "If a blockchain can be paused at any time by humans, how is it any different from traditional financial systems?"
The Shadow of the DAO Incident Reappears
This turmoil reminds many industry insiders of the 2016 Ethereum DAO hack. At that time, Ethereum decided to roll back transactions via a hard fork to recover the stolen $50 million, resulting in the community splitting into Ethereum (ETH) and Ethereum Classic (ETC).
Nine years later, a similar choice has reappeared.
The difference is that this time the protagonist is a public chain still in its early stages of development, lacking sufficient decentralization and the scale of global consensus.
Although Berachain's human intervention prevented greater losses, it once again raises the philosophical question of whether blockchain can truly be autonomous.
In a sense, this is also a mirror of the DeFi ecosystem: security, efficiency, and decentralization—the balance among the three has never truly been achieved.
When hackers can destroy tens of millions of dollars in assets within seconds, "ideals" often have to give way to "reality."
Balancer officials stated that the team is working with top security researchers, plans to release a complete post-mortem analysis, and reminds users to beware of scam messages from fake security teams.
Berachain, on the other hand, expects to gradually resume block production and trading functions after the hard fork is completed.
However, restoring trust is more difficult than fixing vulnerabilities. For an emerging public chain, pausing the chain is a short-term firefight but may leave long-term scars in the community. Users will question the authenticity of its decentralization, and developers will worry about whether there are still guarantees of immutability.
The world of DeFi may be redefining decentralization—not absolute laissez-faire, but finding the smallest consensus of compromise in a crisis.
