The hacker found a vulnerability in the project that allowed him to bypass the funds verification and release real assets with almost no restrictions.

What happened to Balancer and where did the $130 million go: a detailed investigation

01.12.2025

294

5 min

On November 3, 2025, a major theft of funds occurred from the Balancer platform and its two offshoots, Beets and Bex. The total initial amount of damage was approximately $130 million. GetBlock AML Research explains what happened and where the stolen funds are now.

Hack announcement on Balancer’s official X page.

The reason for the hack was an error in the token exchange system. The attacker was able to exploit this vulnerability, causing the system to believe that there was more money in his internal account than actually existed. After he “inflated” his virtual balances, he was able to withdraw real assets.

Approximate damage

  • Balancer — about $113 million
  • Beets — about $3,8 million
  • Bex — about $12,4 million

Later, some of the funds were frozen or returned. Therefore, the current damage estimate has decreased to ~$96,4 million.

How Balancer works (in a nutshell)

Balancer manages shared pools where users deposit their tokens. These pools automatically process exchanges between different assets, maintain the overall balance, and calculate the value.

There is a separate type of pool called ComposableStablePool, which attempts to keep the price of stable tokens at the same level. To do this, it uses a complex mathematical model that calculates how much can be issued to the user in order to maintain equilibrium.

What went wrong

Before the system performs an exchange, it converts values internally to ensure high accuracy. However, one of these conversions contained a rounding error.

Normally, this would not be a problem. But a malicious actor found a way to repeatedly perform very small transactions, and each rounding error slightly disrupted the calculations. This way, he “inflated” the discrepancy between the actual balance of the pool and what the system considered correct.

By repeating this process dozens of times, he was able to create a significant price discrepancy within the pool, and at the moment of withdrawal, he received significantly more assets than he had contributed.

How the attacker operated

The attack took place in several stages:

  • He repeatedly exchanged some tokens for others, gradually distorting the internal calculations.
  • This created the impression that his internal balance was growing, although in fact he had not contributed anything.
  • After many such operations, the value of the tokens in the pool shifted so that he could get significantly more for a very small amount of assets.
  • He then transferred the resulting “surplus” to his internal balance and withdrew real money.

As a result, he received:

  • 4259.84 wstETH
  • 1963.84 WETH
  • 20.41 LP-token

Each of these positions is equivalent to large sums of money.

What happened to the stolen funds

On November 15, the attacker began withdrawing the stolen funds. He sent 3711 ETH (approximately $11,7 million) to the Tornado Cash mixer. This occurred in 39 transactions:

  • 37 transfers of 100 ETH each,
  • one transfer of 10 ETH,
  • one transfer of 1 ETH.
The address used to transfer ETH to Tornado Cash
0x0e9c9473D0c504Da72763426719F6f03A15544D5
This is done to cover their tracks and make it harder to trace the money.
Addresses where the stolen assets still remain
0xf19FD5c683a958ce9210948858B80d433F6BfaE2 ~$540 000
0x87A1638239A404487ADE18800D2c8f1eA641E0fd ~$7,700
0xB973e729CB22875F3f211C226da814192cBc167C ~$19,7 million
0x1C7dA4E9740f99279c193540328314c04E2Edc00 ~$19,7 million
  • Approximately $1,4 million was frozen on the Polygon network.
  • $3,3 million was frozen on the Sonic network, but the attacker bypassed the block and withdrew the funds to Ethereum.

Diagram of the movement of stolen assets. Visualization: MistTrack.

What was recovered or blocked

Several successful actions helped to partially recover the funds:

  • On the Berachain blockchain, approximately $12 million was intercepted by a “white hat hacker” — a person who blocks stolen money in order to return it to its owners. The network was even temporarily suspended to prevent the attacker from withdrawing funds, and transfers were restricted to a special recovery address.
  • The Stakewise staking protocol destroyed approximately $19 million worth of tokens linked to the attacker’s addresses. This rendered the stolen assets useless.
  • Another “white hat hacker” returned approximately $1 million to Balancer.

Another person returned approximately $100k.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy