Balancer audits under scrutiny after $100M+ exploit

Many cryptocurrency traders are seeking answers after a successful exploit at the decentralized exchange and automated market maker Balancer resulted in more than $100 million in digital assets being stolen.

In a Monday X post updating users on the exploit, Balancer said the incident was “isolated to V2 Composable Stable Pools and does not impact Balancer V3 or other Balancer pools.”

The platform added that it had “undergone extensive auditing by top firms, and had bug bounties running for a long time to incentivize independent auditors,” calling into question how the exploit was accomplished.

Source: Balancer

“Balancer went through 10+ audits,” said Suhail Kakar, a developer relations lead at the TAC blockchain on X. “The vault was audited [three] separate times by different firms still got hacked for $110M. This space needs to accept that ‘audited by X’ means almost nothing. Code is hard, DeFi is harder.”

According to a list of Balancer V2 audits available on GitHub, four different security companies — OpenZeppelin, Trail of Bits, Certora, and ABDK — conducted 11 audits of the platform’s smart contracts, with the most recent on its stable pool by Trail of Bits in September 2022.

Cointelegraph reached out to OpenZeppelin for comment, but had not received a response at the time of publication. A Trail of Bits spokesperson declined to comment on the exploit “until the root cause is identified and all Balancer forks are safe.”

Related: ‘Attack on Bitcoin’ — Bitcoiners slam ‘legal threats’ in soft fork proposal

The exploit, reported early on Monday, resulted in more than $116 million worth of staked Ether (ETH) — including StakeWise Staked ETH (OSETH), Wrapped Ether (WETH) and Lido wstETH (wSTETH) — being moved to a newly created wallet. A Nansen research analyst told Cointelegraph that the Balancer incident could have stemmed from smart contract issues that had a “faulty access check allowing the attacker to send a command to withdraw funds.”

Project offers a 20% white hat bounty for returning funds

In a blockchain transaction note addressing the attackers on Monday, Balancer’s team offered a white hat bounty of up to 20% of the stolen funds if the full amount was returned within 48 hours of the notice.

“[I]f you choose not to cooperate, we have engaged independent blockchain forensics specialists and are actively cooperating with multiple law-enforcement agencies and regulatory partners,” said Balancer.

At the time of publication, the project had not announced any additional updates on the bounty or details of the exploit.

Magazine: Solana vs Ethereum ETFs, Facebook’s influence on Bitwise: Hunter Horsley