- Balancer outlines a pool-specific plan to return $8M recovered from its November exploit.
- White hats rescued $3.85M across four networks, while internal teams secured another $4.1M.
- Reimbursements will be paid in-kind using snapshot BPT holdings before the first attack.
Balancer’s community is preparing to return millions in recovered assets to users affected by the protocol’s $116 million exploit earlier this month. A new proposal, released this week, lays out how roughly $8 million rescued by white hats and internal responders should be redistributed. Another segment of the recovered funds, nearly $20 million that StakeWise intercepted during the same incident, will move through that platform’s separate process.
A Recovery Plan Focused Only on Impacted Pools
The document outlines a reimbursement structure that avoids spreading losses across the wider ecosystem. Instead, each affected pool will receive back only what was recovered from its own missing balances. Compensation will be calculated using Balancer Pool Token holdings taken from snapshot blocks just before the first exploit transaction on each network.
Balancer v2 Hack Funds Set for Bold Community Redistribution (Source: Balancer)
Payments will be made in the exact tokens that were originally taken. For example, liquidity providers who lost WETH, WPOL, rETH, or other assets will receive those same assets rather than a consolidated payout in a stablecoin. Community members say this prevents the distortions that can arise when victims are repaid in tokens they never held in the first place.
White hats retrieved about $3.85 million across Polygon, Ethereum, Base, and Arbitrum. Under Balancer’s Safe Harbor Agreement, these rescuers qualify for a 10% bounty in-kind, though some Arbitrum participants declined to identify themselves and therefore forfeited their reward.
An additional $4.1 million was saved in metastable pools through internal intervention coordinated with Certora. Those funds do not qualify for bounty payments because Certora was already engaged under an existing contract.
The Exploit That Passed Through 11 Code Audits
The breach has revived an uncomfortable topic inside DeFi: how a system can undergo repeated audits yet still contain a vulnerability capable of producing such losses. Balancer’s team had commissioned 11 external audits from four security firms. Still, the attacker located a weakness deep in the rounding logic used in EXACT_OUT swaps in Stable Pools.
Balancer Code Audits (Source: Balancer GitHub)
According to a post-mortem released on November 5, the issue stemmed from how the system rounded certain values downward. Under a narrow set of conditions, the attacker could force the logic to swing the other way and round upward instead. When this behavior was paired with a batched swap, allowing multiple operations inside a single transaction, the attacker could drain value from several pools in sequence.
The head of Cyvers, Deddy Lavid, described the breach as one of the most advanced attacks of the year, pointing to a broader shift in DeFi exploits. Incidents are increasingly emerging not from obvious coding errors, but from subtle cross-interactions between functions that audits may not fully simulate.
Where the Recovered Tokens Came From and How They Will Be Returned
The proposal lists detailed recovery totals: more than $2.6 million was secured on Polygon alone, mainly in WPOL, MaticX, and TruMATIC. On Ethereum, white hats retrieved close to $964,000 in assets that included WETH, osETH, and wstETH. Smaller returns were registered on Base and Arbitrum.
Internal rescue efforts added over $3.5 million on Ethereum, with the remainder on Optimism and Arbitrum. These funds are currently held in Balancer DAO multisig wallets on each network. Once the plan is approved, distribution contracts will be deployed to allow users to claim their tokens.
Claimants will need to verify their eligibility through their historical BPT holdings and agree to updated terms releasing the DAO and related organizations from liability tied to the exploit. Any funds unclaimed after 180 days will be labeled dormant and redirected through a separate governance vote.
What Balancer Users Should Expect Next
If the community approves the proposal, the next steps include confirming snapshot blocks, processing white hat verification, and opening the claim system for liquidity providers. The plan marks the protocol’s largest coordinated reimbursement effort since the incident and is intended to rebuild confidence after one of the year’s most technically challenging breaches. StakeWise, meanwhile, will distribute its recovered assets independently.
