Berachain Executes Hard Fork, Recovers $12.8M Balancer Hack

• Berachain recovered $12.8M after executing an emergency hard fork post-Balancer breach.
• The white-hat MEV bot operator returned the stolen funds following the chain restart.
• Over 1,000 users affected by the BEX exploit will be reimbursed through redistribution.

Berachain has completed an emergency hard fork and recovered $12.8 million in stolen assets following the November 3 Balancer V2 exploit. The breach affected decentralized finance (DeFi) pools across several networks, including Ethereum, Arbitrum, Base, and Berachain itself. The swift response from the Berachain Foundation included stopping its network and coordinating with validators and a white-hat operator to secure funds.

Emergency Fork Contained the Exploit

According to the Berachain Foundation, validators paused the network immediately after the exploit was detected to prevent further losses. The attack, traced to a vulnerability in Balancer V2’s authorization logic, had drained approximately $128 million across multiple chains. 

Blockchain analytics firm Nansen attributed the breach to a faulty access-control mechanism that allowed the attacker to fabricate fees and withdraw real assets through two Ethereum transactions. Berachain, which runs a forked version of Balancer known as BEX, was among the affected networks. 

Around $12 million was drained from its Ethena/Honey tripool. In response, the team developed a new binary that froze the compromised addresses and stopped further fund movements. This hard fork binary, circulated to validators, became the foundation for the network’s restoration.

The foundation confirmed that most validators completed upgrades within hours. “Prior to going live and producing blocks again, we need all infrastructure partners to update their RPCs,” the team wrote in a statement on X. This coordination ensured that liquidations, oracles, and other core operations could resume safely once the network restarted.

White-Hat Returns Funds After Negotiations

The foundation revealed that a Maximal Extractable Value (MEV) bot operator had custody of the stolen funds. The operator, active on Berachain for several months, identified himself as a white-hat and agreed to cooperate in returning the assets.

The team confirmed it had received pre-signed transactions from the operator to send the funds back once the network resumed block production. These assets were returned to the Berachain deployer wallet at address 0xD276D…32A2 after the network went live on November 4. On-chain data verified the transfers, completing a rare full recovery in a major DeFi exploit.

Following the recovery, the foundation thanked the white-hat participant and said his wallet would be cleared of malicious labels. The team added that a bounty might be offered as a gesture of appreciation for his cooperation.

The recovery coincided with Berachain restoring several network functions, including HONEY minting and redemption. However, it maintained restrictions on BEX activities such as swaps, deposits, and withdrawals until Balancer completes its investigation into the exploit’s root cause.

Related: BlockDAG Listing Rumors Arise as Fraud Allegations Surface

Network Restoration and User Fund Distribution

With the chain live again, Berachain’s focus has shifted to redistributing funds to affected users. The foundation said more than 1,000 depositors were impacted by the BEX pool exploit. Developers are now working on a system to trace deposits and attribute recovered funds to original wallet addresses for accurate reimbursement.

While assets from the exploited pools are being processed for return, users holding non-compromised deposits still cannot withdraw funds. The foundation described this as a temporary precaution while verifying that the Balancer vulnerability no longer poses a risk.

Infrastructure restoration is also underway. The team is working with different partners like bridges, custodians, centralized exchanges, and oracle providers to make sure everything is running smoothly and in sync. One oracle provider was still pending as the restart neared completion, but most partners are now fully back online.

Several well-known figures in the crypto space, including Berachain co-founder Smokey The Bera and on-chain analyst ZachXBT, openly backed the decision to temporarily pause the network. Both described the action as necessary to protect user assets during the exploit’s containment phase.

The Balancer exploit, which occurred despite multiple audits from firms like OpenZeppelin and Trail of Bits, has led to discussions on DeFi security. Berachain’s complete fund recovery, achieved through coordinated technical and community efforts, is a rare success in a year marked by persistent cross-chain vulnerabilities.

The successful return of funds and network restart show Berachain’s fast response and coordination under pressure. The foundation’s continued collaboration with partners and users aims to restore full functionality and maintain system integrity across its ecosystem.