- Balancer discovers a critical vulnerability in its high-interest-paying boosted pools, putting tens of millions of dollars at risk.
- The protocol’s TVL dropped nearly $100 million amid a rush of user withdrawals.
- The community awaits a comprehensive post-mortem report from Balancer.
Balancer, one of Ethereum’s leading decentralized crypto trading projects, recently discovered a critical vulnerability in some of its high-interest-paying boosted pools, putting tens of millions of dollars in crypto at risk. The discovery sent shockwaves through the decentralized finance (DeFi) community and prompted urgent action from both the Balancer team and its users.
Balancer took to Twitter to make an official statement regarding the discovery of the vulnerability:
Balancer has received a critical vulnerability report affecting a number of V2 Pools.
— Balancer (@Balancer) August 22, 2023
Emergency mitigation procedures have been executed to secure a majority of TVL, but some funds remain at risk.
Users are advised to withdraw affected LPs immediately.https://t.co/PDzX32gqeS pic.twitter.com/F1f649Wz3L
Upon learning of the bug on Tuesday, Balancer’s crisis response group was activated, and the protocol went into lockdown. Many pools were paused to prevent draining, but some could not be paused and were deemed at high risk. These pools had to be secured through user withdrawals, leading to a significant drop in the protocol’s total value locked (TVL). Nearly $100 million was withdrawn in a rush, and Balancer’s latest estimate indicated that roughly $10 million remained at risk.
The situation had an immediate market impact. Investors in BAL, Balancer’s native token, were spooked, and the token’s trading price dipped from $3.55 to $3.44 immediately following the disclosure. The price has since recovered, trading at $3.47 at the time of writing.
The Balancer team acted swiftly to mitigate the issue, securing at least 80% of assets through emergency actions. Around 80% of the impacted pools were mitigated, but the remaining 20%, representing roughly 4% of Balancer’s TVL, were labeled “at risk.” Jeff Bennett, a software engineer at Balancer Labs, urged all liquidity providers to exit their positions in affected pools immediately.
Xeonus, a pseudonymous contributor for Balancer, told a media publisher that “people are withdrawing fast,” emphasizing the urgency of the situation. Reassuring that all related parties had been informed and no funds were stolen so far, Xeonus added, “We are fine so far.”
The incident underscores the inherent risks in the DeFi space and emphasizes the importance of robust security measures and swift response mechanisms. The Balancer team’s ability to act quickly and mitigate the majority of the risk likely prevented a more severe outcome.
The bug itself has not been made public, and the community is now awaiting a comprehensive post-mortem report from Balancer. This report is expected to provide transparency on how the issue was addressed and the root cause of the vulnerability.