The well-established decentralized finance (DeFi) protocol Balancer lost more than $120 million in an exploit yesterday, sending shockwaves throughout the industry and reminding participants of the long-standing vulnerabilities in the sector.
While the postmortem of the exploit hasn’t been announced yet, industry players suggest not fully relying on smart contract audits, while also repeating that DeFi is not as decentralized as it claims to be.
"That’s a red flag for anyone thinking DeFi is 'stable.' No serious capital allocates into systems that fragile," Lefteris Karapetsas, founder of Rotki, an open-source portfolio management app, said, stressing that the hack is "a trust collapse."
Balancer confirmed that the exploit affected its V2 Composable Stable Pools, but the team was unable to pause them and prevent further drains after they were noticed. The team said that they’ve "undergone extensive auditing by top firms, and had bug bounties running for a long time to incentivize independent auditors."
"First lesson for bounty hunters: forget the number of audits a project has had before. Assume there are bugs," security researcher @storming0x, said.
Today is a tough educational day for folk in the industry doing security
undefined storm0x 🌩️ 💡 🗃️ (@storming0x) November 3, 2025
I feel for the @Balancer team, they did audits and all best practices most experts recommend
First lesson for bounty hunters, forget the number of audits a project has had before
Assume there are bugs
According to an initial analysis by crypto security specialist BlockSec Phalcon, the root cause of the exploit was an invariant manipulation that distorted the Balancer Pool Tokens’ price calculation, allowing the attacker to profit from a specific stable pool through a single batch swap.
Meanwhile, DeFi platform SakeWise said that it was able to recover almost $21 million from the Balancer exploiter.
"The recovered funds will be returned to the users affected in the Balancer V2 exploit, distributed pro rata according to their pre-exploit balances," they said.
Some crypto projects rushed to protect themselves from related exploits. For example, Berachain halted its network while the core team performed an emergency hard fork to address Balancer V2-related exploits on BEX, Berachain’s decentralized exchange. Meanwhile, another blockchain project, Sonic, froze some wallets "pending further investigation," while Polygon validators are said to have censored the hacker’s transactions to freeze them.
All these instances once again prompted discussions about the decentralization of these projects.
However, Haseeb Qureshi, managing partner at crypto VC firm Dragonfly, argued that you can still agree to freeze accounts in a decentralized system, an argument mostly refuted by other commenters as "if enough of those parties agree, then you can agree to do anything."
"It's very scary. Every time such an old contract can be exploited, it (rightfully) sets DeFi adoption back by 6-12 months," Hasu, responsible for strategy at crypto projects Flashbots and Lido, concluded.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked