Key Takeaways
- The Balancer DAO issued an on-chain message to the hacker responsible for the $100 million+ exploit, giving a deadline to return the funds for an unspecified bounty.
- The attack targeted the V2 Composable Stable Pools and was later identified as exploiting a sophisticated combination of BatchSwaps and a rounding error in the upscale function.
- If the funds are not returned, Balancer confirmed it will use all available “technical, onchain, and legal measures” to pursue the recovery.
Balancer’s On-Chain Bounty Offer
The decentralized finance (DeFi) protocol Balancer has made a final, public appeal to the wallet holder responsible for the major exploit that drained over $100 million in assets, primarily staked Ether tokens such as OSETH, WETH, and wstETH. The Balancer Decentralized Autonomous Organization (DAO) sent an on-chain notice directly to the attacker’s wallet, establishing a clear ultimatum. The hacker was given a deadline, until the following Saturday, to return the stolen funds in exchange for an unspecified bounty.
The message represents a critical step in Balancer’s recovery efforts, balancing a financial incentive for return with a serious legal threat. While the on-chain message did not detail the amount, the Balancer team had initially indicated they were prepared to offer a white hat bounty of up to 20% of the stolen funds, which would amount to over $20 million.
This significant offer is designed to minimize the total loss and avoid a protracted legal battle, though at the time of publication, there was no indication that the offer had been accepted.
Technical Post-Mortem: The Role of BatchSwaps and Rounding Errors
The exploit, which Balancer first reported on Monday, has put a spotlight on the inherent risks within complex DeFi smart contracts, particularly given the platform had undergone multiple security audits. A detailed post-mortem report shed light on the sophisticated mechanism of the theft. Hackers successfully exploited a subtle vulnerability in the platform’s V2 Composable Stable Pools.
The exploit leveraged a combination of the BatchSwaps function and a rounding error vulnerability within the upscale rounding function that affects EXACT_OUT swaps. Specifically, the attackers executed a sequence of meticulously crafted batch swap operations. These operations compounded tiny precision losses in the pool invariant calculation, caused by Solidity’s integer division when token balances were pushed to critical rounding boundaries.
By systematically suppressing the calculated price of Balancer Pool Tokens (BPT) through the accumulation of these errors, the hacker was able to extract millions via repeated arbitrage cycles. This technical sophistication allowed the attacker to bypass the system’s defenses despite extensive security reviews.
Consequences of Non-Cooperation
Should the hacker fail to meet the deadline, Balancer has made it clear they will escalate the pursuit. The DAO stated it is prepared to use all “technical, on-chain, and legal measures” to recover the assets. This includes cooperating with blockchain forensics specialists and engaging law enforcement agencies. The incident has further underscored the industry’s need for constant vigilance and improvement in coding standards to prevent such high-value exploits.
Final Thoughts
Balancer’s on-chain ultimatum, bounty or legal pursuit, is a standard but critical move in the aftermath of a major DeFi exploit. The technical nature of the attack, which leveraged compounding rounding errors within complex functions like BatchSwaps, serves as a severe warning about the need for hyper-vigilance, even in heavily audited smart contracts.
Frequently Asked Questions
Which pools were targeted in the Balancer exploit?
The exploit was isolated to Balancer’s V2 Composable Stable Pools.
What was the technical cause of the exploit?
The exploit leveraged a combination of the BatchSwaps function and a rounding error within the upscale function on EXACT_OUT swaps.
What action will Balancer take if the hacker does not comply?
Balancer will employ all available technical, onchain, and legal measures, including cooperation with law enforcement and forensics specialists.
