Ethereum automated market maker and decentralized finance protocol Balancer was exploited for nearly $900,000, the protocol confirmed on X (formerly Twitter) on Aug. 27, just days after disclosing a vulnerability that affected several pools.
An Ethereum address allegedly belonging to the attacker has been revealed by blockchain security expert Meier Dolev. Following the exploit, the address received two transfers of Dai stablecoin worth $636,812 and $257,527, respectively, bringing its total balance to over $893,978.
“Balancer is aware of an exploit related to the vulnerability below,” the protocol’s team posted on X, adding that while mitigation measures taken in recent days had drastically reduced risks, affected pools could not be paused. “To prevent further exploits, users must withdraw from affected LPs,” it advised.
Balancer first disclosed a critical vulnerability affecting its boosted pools on Aug. 22, urging users to withdraw funds from liquidity providers (LPs) and pausing pools to mitigate potential damage. At risk were assets deployed on Ethereum, Polygon, Arbitrum, Optimism, Avalanche, Gnosis, Fantom and zkEVM.
On the day of the vulnerability discovery, only 1.4% of its total assets were at risk, representing over $5 million worth of asset exposure. On Aug. 24, at least $2.8 million — 0.42% of its total value locked — was still at risk. Balancer warned its users on X:
“We believe funds in the mitigated pools (labeled ‘mitigated’) are safe, but nevertheless strongly recommend timely migration to safe pools, or withdrawal. Pools that could not be mitigated are labeled ’at risk’. If you are an LP in any of these pools, please exit immediately.”
The protocol was deployed on the Optimism network in June last year, seeking to increase user functionality and reduce fees.