This is the second theft from Balancer in a month, after it warned of a critical vulnerability on August 22, and that vulnerability was exploited for around $2 million several days later.
Balancer frontend compromised
Balancer issued an urgent warning to stop using its web interface, as it was evidently compromised by malicious actors who redirected the funds to themselves. Within 30 minutes of the tweeted warning, $240,000 had already been stolen.
Balancer drained of over $2 million following vulnerability warning
After warning users several days prior that a critical vulnerability had been discovered in their protocol, the Balancer defi project has been drained of around more than $2.1 million in a series of exploits apparently taking advantage of the bug.
Balancer acknowledged the hack, writing on Twitter that "Balancer is aware of an exploit related to the vulnerability [disclosed on August 22]. Mitigation procedures have drastically reduced risks, but [we] are unable to pause affected pools." They reiterated that users needed to withdraw funds from affected liquidity pools to prevent further thefts.
The blockchain researcher known on Twitter as MevRefund questioned why Balancer didn't execute a whitehat attack on their own protocol to try to safeguard the vulnerable funds.
Users pull $150 million in funds from Balancer protocol within hours after reports of a critical vulnerability
Balancer, a popular Ethereum-based defi protocol, has warned users that they should withdraw funds from vulnerable pools on the project after receiving a report of a critical vulnerability. No funds have been lost thus far, and the project has pools that could be impacted, though not all pools can be paused. Because of the nature of crypto projects, Balancer can't simply patch the vulnerability, and is now having to urge users to withdraw their liquidity as soon as possible.
Balancer had around $850 million TVL prior to the announcement. Since revealing the issue, users have removed more than $150 million in assets from the project. Balancer has stated that "only 1.4% of the total TVL is at risk", though 1.4% of $850 million would still be a sizeable $12 million windfall for any potential exploiter.