balancer just got drained for ~$116M this wasn't sophisticated. it was a basic access control bug in their vault contract here’s how it happened, what it reveals - and why it should scare every defi protocol alive: 1/

the exploit hit balancer v2 today across ethereum, arbitrum, polygon, base, optimism, and more over $116M gone. 6,590 WETH. 6,851 osETH. 4,260 wstETH all pulled from the core vault at 0xBA1...BF2C8 2/

the bug was in "manageUserBalance" - a function that's supposed to validate who can move funds instead, it confused msg.sender with a user-supplied op.sender field attackers used WITHDRAW_INTERNAL operations to drain tokens they never deposited 3/

what makes this worse? balancer V2 uses a single vault for everything. every pool, every chain. hit the vault, hit them all. many forks are at risk as well. 4/

this is balancer's third major hack in five years 2021, 2023, and now 2025: $116M+ and counting 5/

let's zoom out. balancer isn't some experiment. $750M TVL. audited. live for years.and yet: a basic access control flaw sat in prod, audits missed it, no proper sender validation, funds mixed in one central vault. 6/

this is balancer's third major hack in five years 2021: millions lost 2023: $238K after being warned 2025: $116M+ this isn't just a Balancer problem. it's a defi illusion problem "audited" =/= safe. "battle-tested" =/= secure 7/

takeaway: basic access control bugs are still destroying blue-chip protocols if you're building: review every permission check twice. if you're a user: "audited" means someone looked once, not that it's bulletproof this wasn't advanced. we're just careless 8/

defi can do better. but first, we need to admit: the basics still matter more than the hype. i’ll post more as the onchain trail evolves 9/

there are a few reports that the attacker didn't just exploit permissions. they manipulated BPT pricing through precision loss in the StableSwap math. - drain one token to a rounding edge - exploit rounding errors to deflate BPT price - buy back BPT cheap, profit /10

more details here about how price manipulation was done[1] still waiting for the balancer’s official response. will keep updating the thread as things unfold. [1]