What happened to Balancer and where did the $130 million go: a detailed investigation
The hacker found a vulnerability in the project that allowed him to bypass the funds verification and release real assets with almost no restrictions.
01.12.2025
294
5 min
0
On November 3, 2025, a major theft of funds occurred from the Balancer platform and its two offshoots, Beets and Bex. The total initial amount of damage was approximately $130 million. GetBlock AML Research explains what happened and where the stolen funds are now.
Hack announcement on Balancer’s official X page.
The reason for the hack was an error in the token exchange system. The attacker was able to exploit this vulnerability, causing the system to believe that there was more money in his internal account than actually existed. After he “inflated” his virtual balances, he was able to withdraw real assets.
Approximate damage
- Balancer — about $113 million
- Beets — about $3,8 million
- Bex — about $12,4 million
Later, some of the funds were frozen or returned. Therefore, the current damage estimate has decreased to ~$96,4 million.
How Balancer works (in a nutshell)
Balancer manages shared pools where users deposit their tokens. These pools automatically process exchanges between different assets, maintain the overall balance, and calculate the value.
There is a separate type of pool called ComposableStablePool, which attempts to keep the price of stable tokens at the same level. To do this, it uses a complex mathematical model that calculates how much can be issued to the user in order to maintain equilibrium.
What went wrong
Before the system performs an exchange, it converts values internally to ensure high accuracy. However, one of these conversions contained a rounding error.
Normally, this would not be a problem. But a malicious actor found a way to repeatedly perform very small transactions, and each rounding error slightly disrupted the calculations. This way, he “inflated” the discrepancy between the actual balance of the pool and what the system considered correct.
By repeating this process dozens of times, he was able to create a significant price discrepancy within the pool, and at the moment of withdrawal, he received significantly more assets than he had contributed.
How the attacker operated
The attack took place in several stages:
- He repeatedly exchanged some tokens for others, gradually distorting the internal calculations.
- This created the impression that his internal balance was growing, although in fact he had not contributed anything.
- After many such operations, the value of the tokens in the pool shifted so that he could get significantly more for a very small amount of assets.
- He then transferred the resulting “surplus” to his internal balance and withdrew real money.
As a result, he received:
- 4259.84 wstETH
- 1963.84 WETH
- 20.41 LP-token
Each of these positions is equivalent to large sums of money.
What happened to the stolen funds
On November 15, the attacker began withdrawing the stolen funds. He sent 3711 ETH (approximately $11,7 million) to the Tornado Cash mixer. This occurred in 39 transactions:
- 37 transfers of 100 ETH each,
- one transfer of 10 ETH,
- one transfer of 1 ETH.
| The address used to transfer ETH to Tornado Cash |
| 0x0e9c9473D0c504Da72763426719F6f03A15544D5 |
| Addresses where the stolen assets still remain | |
| 0xf19FD5c683a958ce9210948858B80d433F6BfaE2 | ~$540 000 |
| 0x87A1638239A404487ADE18800D2c8f1eA641E0fd | ~$7,700 |
| 0xB973e729CB22875F3f211C226da814192cBc167C | ~$19,7 million |
| 0x1C7dA4E9740f99279c193540328314c04E2Edc00 | ~$19,7 million |
- Approximately $1,4 million was frozen on the Polygon network.
- $3,3 million was frozen on the Sonic network, but the attacker bypassed the block and withdrew the funds to Ethereum.
Diagram of the movement of stolen assets. Visualization: MistTrack.
What was recovered or blocked
Several successful actions helped to partially recover the funds:
- On the Berachain blockchain, approximately $12 million was intercepted by a “white hat hacker” — a person who blocks stolen money in order to return it to its owners. The network was even temporarily suspended to prevent the attacker from withdrawing funds, and transfers were restricted to a special recovery address.
- The Stakewise staking protocol destroyed approximately $19 million worth of tokens linked to the attacker’s addresses. This rendered the stolen assets useless.
- Another “white hat hacker” returned approximately $1 million to Balancer.
Another person returned approximately $100k.
Useful material?
Research
One and the same cryptocurrency address received two completely opposite assessments from different analytics systems: from an ordinary gambling service to an extremely severe criminal offense. This story has become the starting point for a broader conversation about what the scientific standards of blockchain analysis should look like — and why errors in systems like these can shape the fates of real people.
Jul 1, 2026
Research
The blockchain has helped uncover the ties between cryptocurrency fundraising campaigns, exchangers in Syria, and intermediaries in several countries around the world. A telltale pattern has emerged in which the same addresses were used across multiple donation drives at once
Jun 24, 2026
Research
Four Iranian cryptocurrency exchanges accounted for roughly 78% of all digital asset volume tied to the country in 2025. They have now become the focal point of the largest U.S. sanctions campaign against Iran's cryptocurrency infrastructure.
Jun 5, 2026
Research
A financial system is already up and running on public blockchains, with loans, analogues of U.S. Treasuries, and automated capital markets. More than $551 billion has flowed through DeFi protocols — but most of that activity has nothing to do with the real economy and everything to do with the speculative build-up of risk.
May 29, 2026
Research
Around 97% of Chinese suppliers of chemicals used to make fentanyl accept payment in cryptocurrency. The volume of such transactions continues to grow alongside the global market for synthetic drugs
May 22, 2026
Research
For the first time, the new law makes blockchain analytics an officially mandatory tool of financial oversight in the United States. Authorities will also gain the power to restrict transactions with foreign crypto services tied to money-laundering risks.
May 20, 2026
Telegram
Twitter