Balancer Targeted in Major DeFi Exploit
Balancer, a decentralized exchange and automated market maker, has reported a significant exploit resulting in the theft of over $100 million in digital assets. The incident, disclosed on Monday, has raised new questions regarding the effectiveness of multiple security audits in the decentralized finance (DeFi) sector.
Incident Details and Immediate Impact
According to Balancer's update, the exploit affected only its V2 Composable Stable Pools, leaving V3 and other pools unaffected. The stolen assets included various forms of staked Ether such as StakeWise Staked ETH (OSETH), Wrapped Ether (WETH), and Lido wstETH (wSTETH). The attacker transferred the assets to a newly created wallet in a series of on-chain transactions.
Audit History Calls Security Into Question
Balancer stated that its smart contracts had undergone more than ten audits by leading security firms, including four separate companiesOpenZeppelin, Trail of Bits, Certora, and ABDK. The most recent audit of the affected stable pool was conducted by Trail of Bits in September 2022.
The platforms extensive audit history has prompted debate in the DeFi community about the reliability of auditing processes. "The vault was audited three separate times by different firms but still got hacked for $110M. This space needs to accept that audited by X means almost nothing. Code is hard, DeFi is harder," wrote Suhail Kakar, a developer relations lead at TAC blockchain.
Technical Analysis and Response
A Nansen research analyst suggested the exploit could be linked to a smart contract vulnerability, possibly a faulty access check that allowed the attacker to withdraw the assets. Security companies involved with Balancers audits have so far declined to comment until the exploits root cause is confirmed and all similar protocols are secured.
Recovery Actions and Ongoing Investigation
Balancer has offered a white hat bounty of up to 20% for the return of the stolen funds, provided the full amount is returned within 48 hours. The team says they have engaged forensic experts and that law enforcement agencies are involved in the investigation.
As of publication, no additional updates have been released regarding the bounty or further details on the exploit.
Related content
Comments
