Decentralized finance (DeFi) protocol Balancer has revealed a preliminary report detailing the reason for the exploit on its multi-chain token swimming pools that resulted in hackers siphoning $116 million in liquid staked Ether (ETH) tokens.

The automated market maker (AMM) and liquidity platform suffered a large outflow from its core vault on November 3, which focused the Balancer v2 Steady Swimming pools and Composable Steady (CSP) v5 Swimming pools throughout Ethereum, Base, Avalanche, Arbitrum, Optimism, Gnosis, Polygon, Berachain, and Sonic blockchains. 

Preliminary estimates confirmed losses of $70 million, which rapidly rose to over $128 million inside a number of hours.

Rounding Error within the BatchSwap Function of Steady Swimming pools: the Root Reason behind $116 Million Balancer v2 Exploit

Within the preliminary report, Balancer attributed the hack to a rounding error within the upscale perform for “EXACT_OUT” swaps inside the v2 vault’s BatchSwaps function – a perform that allowed customers to mix a number of swap operations right into a single transaction to avoid wasting on gasoline charges.

The rounding perform intends to spherical down when token costs are an enter, however a bug within the system resulted in non-integer scaling elements to spherical down throughout particular calculations, which created small discrepancies. The hacker exploited the bug at the side of the BatchSwap function, together with flashloans – short-term loans borrowed and repaid inside the similar transaction – to govern balances and drain funds from the Steady Swimming pools.

This resulted in liquidity falling under Balancer’s minimal threshold.

The report said that in lots of cases, the stolen funds had been first redirected into the Balancer vault’s inner balances earlier than being withdrawn in subsequent transactions. The bug primarily affected CSP v5 swimming pools with expired pause home windows, whereas automated emergency controls on the v6 mode transitioned it into restoration mode in the course of the hack.

The crew mentioned the assault spanned throughout a number of Balancer-supported blockchains and forks, together with BEX on Berachain, Beets on Sonic, and Gnosis-based platforms. Nevertheless, the accomplice ecosystems carried out emergency protocols to include additional fallout.

The hackers concerned had been extremely expert and had been making ready for months earlier than executing their assault. They used a sequence of 0.1 ETH deposits on the token mixer platform Twister Money to fund the assault and keep away from detection.

Balancer’s Safety and Strategic Companions and White Hats Have Recovered $23.05 Million in Stolen Belongings

Balancer labored with its cybersecurity accomplice Hypernative and different crypto protocols, together with SEAL 911, BitFinding, and StakeWise, to recuperate or freeze a portion of the stolen funds. The StakeWise DAO managed to recuperate 5,041 osETH and 13,495 osGNO tokens, valued at roughly $19 million and as much as $2 million, respectively.

In the meantime, validators on Berachain halted the community on November 4 to carry out an emergency arduous fork to handle BEX’s publicity to Balancer v2. Sonic Labs froze addresses linked to the suspect, proscribing the motion of funds tied to its Balancer fork. Gnosis quickly restricted token bridging exercise to forestall any cross-chain propagation. Monetium froze 1.3 million EURe tokens within the affected vault.

BitFinding and Base MEV bots managed to recuperate about $750,000 price of funds, returning them to the Balancer DAO.

Balancer has paused all affected swimming pools and disabled the creation of recent swimming pools on CSP v6 till the safety challenge is mounted. Moreover, the crew has enabled liquidity pool exits from paused swimming pools to permit protected withdrawal of remaining funds. The protocol carried out a Protected Harbor authorized framework (BIP-726) final yr, which allowed white hat groups to intervene instantly with none authorized repercussions. The report famous that this construction “materially improved” its response velocity and coordination.

Balancer has supplied a 20% white hat bounty to the perpetrator of the assault and moral hackers for the protected return of the stolen funds, however up to now, nobody has come ahead to say the reward. The crew has said {that a} last verified accounting of the recovered and frozen funds will likely be revealed as soon as companions full on-chain reconciliation.

Additionally Learn: Balancer DeFi Protocol Suffered $128M Hack and Recovered $19.3M After Hours