Critical Vulnerability Discovered
Balancer announced the discovery of the vulnerability in a post on X (formerly Twitter), stating that it had initiated emergency mitigation features. The protocol also urged users to withdraw funds from the impacted pools.
“Balancer has received a critical vulnerability report affecting a number of V2 Pools. Emergency mitigation procedures have been executed to secure a majority of TVL, but some funds remain at risk. Users are advised to withdraw affected LPs immediately.”
The protocol stated that the issue had been mitigated in about 80% of the impacted pools. Meanwhile, the remaining 20% of the impacted pools represented around 4% of Balancer’s total value locked (TVL). Balancer stated in its forum,
“Balancer Labs received a report of a critical vulnerability affecting a number of pools. We were able to mitigate over 80% of these; the remaining funds at risk represent about 4% of Balancer TVL.”
Funds Remain Safe
The protocol also assured users that, at this point, the vulnerability had not been exploited, and all funds remained safe. Balancer added that pools labeled mitigated were safe but still urged users to migrate to safe pools or withdraw for the time being. The team also urged liquidity providers to exit their positions from impacted pools immediately. Jeff Bennett, a software engineer at Balancer Labs, said in a post,
“We believe funds in the mitigated pools (labeled ‘mitigated’) are safe, but nevertheless strongly recommend timely migration to safe pools or withdrawal. Pools that could not be mitigated are labeled ‘at risk.’ If you are [a liquidity provider] in any of these pools, please exit immediately.”
Users have heeded the warnings from the protocol following the discovery of the vulnerability. As a result of users withdrawing liquidity, the protocol’s total value locked dropped by nearly $100 million amidst the rush of withdrawals. Balancer has also stated that it would be conducting a thorough post-mortem of the vulnerability and would publish details about it and how it was addressed soon.
This is not the first time Balancer has asked users to pull liquidity from its pools. In January, the protocol had advised liquidity providers to pull liquidity citing “ongoing issues.
Balancer’s Native Token Registers Significant Drop
The unfolding situation unsurprisingly had an immediate impact on the market. As a result of the discovery of the vulnerability, Balancer’s native BAL token registered a drop of over 4%. However, the value has recovered with the protocol moving swiftly to mitigate the vulnerability and communicate with users. Currently, the token is trading at around $3.51, according to data from CoinMarketCap.
Meanwhile, Spencer Hughes, a Blockworks Research Analyst, observed that the discovery of the Balancer vulnerability demonstrated the fact that smart contract audits cannot guarantee complete safety. However, he added that these audits never claimed to be a hundred percent foolproof.
“With ~$830M TVL, a Balancer exploit would have left one of the most prominent DEXs for dead. Emergency SubDAOs are definitely very important for all DeFi protocols, and it is great that they were able to act before anything malicious could occur.”
The Curve Hack
While Balancer has moved fast to mitigate any potential damage, the DeFi space has been reeling from a spate of exploits. Recently, an exploit in the Curve Finance platform put over $100 million in crypto at risk, significantly amplifying concerns around the decentralized finance (DeFi) ecosystem. At the heart of the exploit was a re-entrancy bug that was found in Vyper, a programming language critical to Curve’s system.
The vulnerability allowed hackers to drain several stablecoin pools on Curve, leading to a significant disruption of the price and liquidity of several DeFi services. Other major exploits in the DeFi space include the Ronin exploit, which saw the Ronin Network lose a staggering $622 million. The exploit was a result of a breach in the Ethereum sidechain. BadgerDAO also fell victim to hackers, losing around $80 million to hackers.