Berachain’s emergency hard fork traps the hacker and freezes funds stolen from the Balancer V2 exploit

Berachain Executes Emergency Hard Fork After $128M Balancer Exploit

Berachain initiated an emergency hard fork to seize a hacker’s funds after a major security breach in the Balancer DeFi protocol, where more than $128 million was stolen from its Composable Stable Pools V2.

This extraordinary action aimed to contain the aftermath of the recent Balancer V2 exploit by freezing funds linked to the attacker and coordinating asset recovery through an operator identified as a white hat—or ethical hacker.

A hard fork is a radical blockchain network upgrade that changes protocol rules in a way that is incompatible with previous versions. In this instance, Berachain leveraged a hard fork to directly intervene and prevent the attacker from moving the stolen funds.

In an official statement on X (formerly Twitter), the Bera Foundation confirmed distribution of the hard fork binary, with numerous validators already completing the update. Chain activity remains paused as the core team collaborates with infrastructure partners to ensure system stability.

The Berachain team stated, “Before resuming operations and producing blocks, we want to ensure that essential infrastructure partners—such as settlement oracles—have updated their RPCs.”

The foundation also noted that cross-chain bridges, centralized exchanges, and custodians will reconnect once the chain resumes normal activity. This coordination is critical to prevent inconsistencies in the network state and ensure all ecosystem participants operate on the correct blockchain version.

The emergency measure followed a severe security incident in the Balancer protocol. The exploit specifically targeted Balancer’s Composable Stable Pools V2, draining over $128 million across multiple blockchains. Security firm PeckShield was among the first to report the event, describing it as one of the year’s largest DeFi exploits.

The attack unfolded over several hours, with the hacker manipulating Balancer’s smart contracts via a vulnerability in its authorization logic. Analysts at Defimon Alerts and Decurity later pinpointed the issue to the manageUserBalance function, which failed to properly verify user permissions.

By exploiting this flaw, the attacker impersonated users and withdrew internal balances without authorization. This sophisticated attack highlights how vulnerabilities can persist even in extensively audited protocols.

On-chain data from analytics firm Nansen revealed suspicious transfers of wrapped Ether, osETH, and wstETH to a new wallet, followed by large-scale conversions to Ethereum. Cyvers Alerts reported the attacker began laundering funds through Tornado Cash—a well-known crypto mixer—shortly afterward to obscure transaction trails.

While the breach was still under investigation, on-chain analyst EmberCN reported that liquid staking protocol StakeWise successfully recovered 5,041 osETH (worth about $19.3 million) via a contract call. This reduced total stolen assets to roughly $98 million, more than half of which had already been converted to ETH at that point.

Berachain’s rapid response sought to prevent further losses after becoming one of the exploit’s affected ecosystems. Implementing a hard fork demonstrates the network’s commitment to user security, though it also raises questions about blockchain decentralization and immutability.

Balancer Breach Tests DeFi Security as Berachain Plans Asset Recovery

The Berachain Foundation reported that an MEV (Maximal Extractable Value) bot operator—active on the chain for several months—currently holds the compromised funds and has agreed to return them. MEV bots are automated programs that pursue arbitrage and other value extraction strategies on blockchains.

According to Berachain’s official statement, “He has indicated he is a white hat and is willing to pre-sign a set of transactions to return the funds once the chain is operational.”

A white hat is a cybersecurity industry term for ethical hackers who identify vulnerabilities to improve security, not for malicious exploitation. In this case, the MEV bot operator intercepted the stolen funds before they could leave Berachain’s reach.

The team confirmed the funds will be restored to the Berachain deployer address at 0xD276D… and has sent on-chain messages to verify the return process. This level of transparency is essential for maintaining community trust during crises.

The Balancer exploit has also heightened scrutiny of DeFi security. Despite more than ten audits from leading firms—including OpenZeppelin, Trail of Bits, and Certora—Balancer V2 contracts were compromised. This underscores that even heavily audited protocols may harbor undiscovered vulnerabilities.

Developer Suhail Kakar commented that repeated audits are no longer a security guarantee, noting, “Code is hard; DeFi is even harder.” This highlights the challenges of developing decentralized financial protocols, where complex code and interactions among multiple smart contracts can introduce unforeseen attack vectors.

The incident adds to Balancer’s troubled security history. Since launching in 2020, the protocol has suffered multiple attacks. In 2020, it lost $520,000 due to a vulnerability involving deflationary tokens. In 2023, a rounding error exploit resulted in a $2.1 million loss, and the protocol later suffered a DNS hijack that same year.

These recurring incidents raise serious concerns about the protocol’s security practices and audit effectiveness. The DeFi community has expressed concern over the frequency of Balancer compromises, which could impact long-term user trust.

Balancer’s total value locked (TVL) plunged from $442 million to approximately $213 million in a very short period, according to DeFiLlama. This dramatic drop reflects lost investor confidence and the market’s swift response to security exploit news.

The scale of this TVL decline illustrates the profound impact security incidents can have on DeFi protocols. When users lose confidence in platform security, they tend to withdraw funds rapidly, creating a domino effect on liquidity and functionality.

This case also demonstrates the necessity of rapid response mechanisms and collaboration across blockchain projects. Berachain’s ability to execute an emergency hard fork and coordinate with the MEV bot operator to recover funds underscores the value of cooperation in the crypto industry.

The DeFi industry is at a critical juncture, needing to balance innovation and decentralization with robust security measures. Protocols should adopt not only multiple audits, but also bug bounty programs, ongoing penetration testing, and simpler, more auditable smart contract architectures.

As DeFi continues to evolve, incidents like the Balancer exploit reinforce the need for security as a constant priority—no protocol can consider itself fully immune to vulnerabilities.

FAQ

What is Berachain? What are its key features and main uses?

Berachain is a Layer 1 blockchain built on the Cosmos SDK that employs the Proof of Liquidity (PoL) consensus mechanism. Its core objective is to solve liquidity challenges in decentralized finance (DeFi) and enhance overall DeFi ecosystem efficiency.

What is Balancer V2? What role does it play in DeFi?

Balancer V2 is an advanced DeFi protocol that allows for the creation and management of flexible, composable liquidity pools. It delivers dynamic, customizable liquidity strategies that optimize performance and minimize slippage in decentralized transactions.

What is Berachain’s emergency hard fork, and why is it necessary?

Berachain’s emergency hard fork is a critical upgrade to address the Balancer V2 vulnerability. It isolates compromised contracts, enables asset recovery, and restores network security.

How did the hacker exploit the Balancer V2 vulnerability in this incident?

The hacker manipulated pool balances down to microscopic levels (8–9 wei), triggering precision loss in Solidity’s integer division. Through repeated atomic transactions, they executed operations that resulted in significant financial losses.

How does the hard fork freeze the hacker’s funds? Does this process impact other users?

The hard fork updates the protocol to freeze the hacker’s addresses, blocking their funds without affecting legitimate user operations. This targeted mechanism only impacts compromised accounts, preserving the rest of the network’s integrity.

What is the long-term impact of this security incident on Berachain and Balancer?

This incident will lead to strengthened audits and security, boost trust through asset recovery, and reinforce protection protocols in both ecosystems to guard against future exploits.

How can I protect my funds on Berachain as a user?

Use strong, unique passwords, enable two-factor authentication, and store your private keys securely offline for maximum protection.