On November 3, 2025, over $128 million in digital assets were stolen from Balancer, a decentralized finance (DeFi) protocol. Balancer is an automated market maker and a decentralized exchange, and DeFi refers to blockchain-based financial services that operate without centralized intermediaries.
Unlike traditional financial systems, DeFi protocols are permissionless and composable, allowing anyone to interact with them or build additional services on top of them. These systems rely on smart contracts, self-executing code deployed on public blockchains, to manage assets, execute trades, and enforce rules. Once deployed, smart contracts are difficult to modify, and vulnerabilities can propagate across interconnected systems.
Security researchers identified the root cause as a cross-chain callback vulnerability. A cross-chain callback vulnerability occurs when a smart contract improperly handles responses or interactions between blockchain networks, allowing attackers to trick the system into accepting fake instructions and performing actions it should normally reject.
In cross-chain setups, a smart contract on one blockchain may initiate a transaction that expects a response (callback) from another chain. If the contract does not strictly verify the origin, content, or permissions of that callback, an attacker can craft a malicious response that mimics a legitimate one.
This can result in unauthorized actions such as asset withdrawals, balance manipulation, or changes to contract state. The attack escalated quickly, with losses exceeding $116 million within the first hour.
In Balancer’s case, the vulnerability allowed attackers to manipulate how its smart contracts processed automated responses between chains. The attackers exploited precision errors - small inaccuracies in numerical calculations - and flawed logic in smart contracts to extract large sums from the system.
Upon discovering the breach, Balancer reported they “paused vulnerable pools”, meaning they temporarily froze access to certain shared asset collections to prevent further damage. A recovery process was initiated, and the team began working with security researchers and legal advisors to investigate the incident.
Cross-chain callbacks are common in DeFi, where smart contracts interact across blockchain networks to execute complex operations. If these callbacks are not strictly verified, they can become entry points for exploits. This incident underscores the operational risks of cross-chain smart contract interactions.
Whereas legacy financial systems can reverse transactions or freeze assets after an incident, blockchain protocols cannot. Attackers often use automated tools and bridges to move stolen funds quickly, complicating response efforts.
Vulnerabilities in smart contract code, cross-chain interactions, and governance mechanisms can be exploited at scale, often with irreversible consequences. While the described attack is not universally applicable to all smart contract use cases, other protocols that use cross-chain messaging and lack strict access controls could be at risk. Monitoring, auditing, and revocation tools are critical for managing exposure.