Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 158Reentrancy

Balancer Boosted Pool Reentrancy

An attacker exploited rate-provider read-only reentrancy in Balancer boosted pools after a disclosure, draining ~$2.1M before users could fully exit liquidity.

Date
Victim
Balancer
Chain(s)
Ethereum
Status
Partially Recovered

On August 27, 2023, Balancer boosted pools were exploited for approximately $2.1 millionfive days after Balancer had publicly disclosed the vulnerability and urged users to withdraw. This was a separate, earlier incident from the much larger Balancer v2 exploit in November 2025.

What happened

On August 22, 2023, Balancer publicly disclosed a critical vulnerability affecting a number of boosted pools — a read-only reentrancy in the pools' rate-provider price logic. Balancer mitigated 95%+ of at-risk TVL by pausing affected pools and urged LPs in the remaining at-risk pools to withdraw immediately.

Not all liquidity exited in time. On August 27, an attacker exploited the still-at-risk pools that LPs had not withdrawn from:

  1. Used the read-only reentrancy in the boosted pool's rate calculation — the same structural pattern as dForce and EraLend earlier that year.
  2. Manipulated the pool's reported BPT (Balancer Pool Token) price during a mid-mutation window.
  3. Extracted value from the mispriced pools — approximately $2.1M across the remaining vulnerable pools.

Aftermath

  • Balancer's proactive disclosure-and-pause had already protected the large majority of funds — the realised loss was a small fraction of the total at-risk TVL.
  • Remaining affected LPs absorbed losses; the protocol coordinated partial mitigation.
  • The incident is frequently cited as a case of "disclosure done right, but users didn't act in time."

Why it matters

The August 2023 Balancer incident is an unusual and instructive case because the protocol did almost everything right and still suffered a loss:

  1. The vulnerability was found and disclosed proactively (not discovered via exploit).
  2. 95%+ of at-risk TVL was protected by pausing pools and warning users.
  3. The realised loss was a small fraction of what an undisclosed exploit would have cost.

And yet $2.1M was still lost — because not every LP withdrew from the remaining at-risk pools in time. This illustrates a hard truth about DeFi incident response: even a perfectly-executed disclosure cannot fully protect users who don't act on it. The protocol can pause what it controls, but it cannot force LPs out of pools, and a meaningful fraction of users will not see the warning, will not understand it, or will not act in the window available.

The technical root cause — read-only reentrancy in a DEX/pool rate provider — is the same bug class that recurred at dForce (Feb 2023), EraLend (Jul 2023), Conic Finance (Jul 2023), and Balancer (Aug 2023) all in the same year. The pattern was well-understood by mid-2023; the recurrence reflects how many protocols had integrated pool-rate reads written before the read-only-reentrancy lesson was widely internalised. Balancer's relatively good outcome here — versus its catastrophic November 2025 incident — shows that even a security-mature team operating one of DeFi's most-audited protocols remains exposed when the vulnerability surface is large and the dependent integrations are numerous.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-balancer-hack-august-2023
  2. [02]coinpaper.comhttps://coinpaper.com/2096/exploiter-steals-over-2-million-from-balancer-with-flashloan-attacks
  3. [03]rekt.newshttps://rekt.news/balancer-rekt

Related filings