Four top blockchain security firms conducted 11 separate audits of Balancer’s smart contracts since 2021 — yet a sophisticated attacker still managed to drain over $100 million in staked Ether from the protocol. The incident has reignited concerns about the reliability of DeFi audits and the limits of code verification in decentralized systems.
Balancer Faces Backlash After Major Exploit
Many crypto traders and DeFi enthusiasts are questioning how a platform as heavily audited as Balancer could fall victim to such a large-scale exploit. In an update on X (formerly Twitter), the team confirmed that the attack was isolated to Balancer V2 Composable Stable Pools, assuring users that V3 and other pools were unaffected.
“Balancer has undergone extensive auditing by top firms and maintained long-standing bug bounty programs,” the team wrote. However, this assurance has done little to calm a community frustrated by yet another security breach despite multiple audits and preventive measures.
Multiple Audits, But Millions Lost
According to records available on GitHub, Balancer’s smart contracts were audited by OpenZeppelin, Trail of Bits, Certora, and ABDK Consulting, with a total of 11 different audit reports since 2021. The most recent assessment — conducted by Trail of Bits in September 2022 — focused on Balancer’s stable pool contracts.
Despite this, a hacker successfully exploited vulnerabilities allowing them to withdraw more than $116 million in staked Ether, including StakeWise Staked ETH (OSETH), Wrapped Ether (WETH), and Lido wstETH (wstETH). Analysts say the exploit may have stemmed from a faulty access control that let the attacker issue unauthorized withdrawal commands.
Experts Question the Value of Audits
The exploit has sparked heated debate across the DeFi space about the effectiveness of smart contract audits. Developer relations lead Suhail Kakar commented, “Balancer went through 10+ audits — the vault was audited three separate times by different firms and still got hacked for $110M. This space needs to accept that ‘audited by X’ means almost nothing. Code is hard; DeFi is harder.”
The remark reflects a growing sentiment that traditional audit models may not scale with DeFi’s complexity, where composability between smart contracts often introduces unpredictable risks even when individual components are verified.
Balancer Offers a 20% White Hat Bounty
In a message sent directly to the attacker via on-chain transaction, Balancer’s team proposed a white hat bounty worth up to 20% of the stolen funds if they were returned within 48 hours. The message warned that if the hacker failed to cooperate, the project would work with blockchain forensics specialists and law enforcement agencies to recover the assets.
At the time of writing, Balancer had not confirmed whether the attacker responded to the offer or returned any funds. The team continues to collaborate with external experts to trace the stolen Ether and identify the root cause of the exploit.
DeFi Security Under the Microscope
The Balancer incident adds to a growing list of DeFi exploits that have shaken user confidence in the sector. Despite an expanding industry of audit firms, on-chain security tools, and bug bounty platforms, the frequency of large-scale protocol hacks has not slowed.
Analysts suggest that DeFi projects may need to adopt real-time threat detection systems, continuous audits, and multi-layer verification frameworks to prevent future breaches. As one security researcher noted, “Audits are not guarantees — they’re snapshots. Code evolves faster than checklists.”