Balancer V2 Hack
Incident Overview
On November 3, 2025, Balancer V2 suffered a major smart contract exploit across multiple chains, resulting in approximately $128 million in losses. The attacker exploited a vulnerability in the Vault's manageUserBalance function, specifically targeting improper authorization and callback handling during pool initialization to drain assets from liquidity pools.
The attack targeted Balancer's V2 Vault architecture, which serves as a central accounting hub for all pools. The vulnerability existed in the manageUserBalance function that handles internal balance operations. Initial analysis suggested the function improperly validated msg.sender against user-provided op.sender fields, though deeper forensic work by auditors like kebabsec revealed the root cause may involve state mutations during withdrawal proxy setup that left the Vault in a permissive state.
The attacker deployed a malicious contract that manipulated Vault calls during pool initialization, exploiting improper authorization checks and callback handling to bypass safeguards. This enabled unauthorized withdrawals of internal balances across interconnected pools in rapid succession. Assets were drained primarily on Ethereum ($70M), with additional losses on Base, Sonic ($7M combined), and other chains (~$2M+), totaling $128M in WETH, wstETH, osETH, frxETH, rsETH, and rETH.
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Balancer V2, these are the critical security checks that could have prevented this incident (November 2025).
- Verify all logic paths related to Composable Stable Pools Exploit / Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialFunds Recovery
Recovered
$48.8M
Net Loss
79232000
Security Audit History
- Audit Report 1 Report
Post-Incident Timeline
-
2025-11-28
Total Recovered: ~$48.8 million StakeWise Recovery: $20.7 million Berachain Full Recovery: $12.8 million White-hat and Internal Recoveries: ~$8 million Additional MEV Bot Recoveries: $750,000+
Related Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
- 01
- 02
- 03
- 04
Learn to Prevent the Next Balancer V2
The Balancer V2 hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.