The decentralized finance protocol Balancer fell victim to a sophisticated DNS hijacking attack on September 19, 2023, resulting in approximately $238,000 in stolen cryptocurrency. The incident marks the second major security breach to hit the platform in less than a month, raising fresh concerns about the vulnerability of DeFi user interfaces.
The Exploit Mechanics
The attack targeted the Balancer frontend at balancer.fi through a domain name system compromise. Attackers executed a DNS exploit that allowed them to take control of the official website link and redirect users to a malicious version of the interface. When unsuspecting users visited the compromised site, they were prompted to approve malicious smart contracts that drained funds from their wallets. According to on-chain investigator ZachXBT, the stolen funds were directed to wallet address 0x645710Af050E26bB96e295bdfB75B4a878088d7E.
Security firm PeckShield reported that the attacker, associated with address 0xf998, exchanged 15.4 ETH for approximately 2,730 AVAX and subsequently transferred these funds to a MEXC exchange deposit address. On-chain data also revealed that the hacker bridged a portion of the stolen funds to Ethereum and Bitcoin, with a test transaction routed through the Tornado Cash mixer.
Affected Systems
Balancer operates as a community-governed protocol on the Ethereum network, functioning as an automated portfolio manager, liquidity provider, and price tracker. The platform supports seven EVM-compatible networks and held approximately $608 million in total value locked across Balancer v2 at the time of the attack. The governance token BAL was trading at about $3.27, down 2.5% over the preceding 24 hours, reflecting the broader market where Bitcoin held at $27,211 and Ethereum at $1,643.
Balancer issued an urgent warning at 11:49 PM UTC on September 19, urging users to avoid all interaction with the platform interface. A project contributor operating under the handle Cosme Fulanito confirmed that the protocol vault remained secure at 100% integrity, suggesting the attack was limited to the frontend layer.
The Mitigation Strategy
Following the breach, Balancer launched a full investigation into the DNS compromise. The team later confirmed that a social engineering attack was responsible for the DNS hijack, meaning the attackers manipulated individuals with access to DNS records rather than exploiting a technical vulnerability in the protocol itself. HashKey co-founder Ben El-Baz publicly questioned how the industry can better defend against attacks targeting Web 2.0 interfaces of decentralized applications.
Dappling Network founder 0xBookland recommended that protocols implement continuous monitoring systems that track where frontends are pointing and which contracts the frontend is interacting with, with automated alerts when deviations from expected behavior are detected. For individual users, security extensions such as Joinfire were recommended as additional protective layers.
Lessons Learned
This incident underscores a critical distinction in DeFi security: protocol-level smart contracts and user-facing frontends represent entirely different attack surfaces. Even when the underlying protocol remains uncompromised, a hijacked frontend can cause significant financial losses. The Balancer DNS attack highlights that social engineering remains a potent weapon in the crypto attacker arsenal, capable of bypassing even well-audited smart contract code.
The recurrence of attacks on Balancer — with a previous $900,000 exploit discovered on August 22 involving a critical flaw in liquidity pools — demonstrates that adversaries actively target platforms recovering from recent incidents, exploiting the period of disruption and user confusion.
User Action Required
Users who interacted with the Balancer frontend on or around September 19, 2023 should immediately revoke any token approvals granted during that period. Tools like Revoke.cash or Etherscan’s token approval checker can identify suspicious authorizations. Moving forward, DeFi users should verify the integrity of website URLs before connecting wallets, use hardware wallets for large holdings, and consider bookmarking verified protocol URLs to avoid falling victim to DNS-based redirection attacks. Always cross-reference official social media channels for security advisories before interacting with any DeFi platform following a reported incident.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.
second breach in one month for Balancer. at what point does the community stop trusting the protocol entirely? $238k is not huge but the pattern is alarming
dns_watcher two breaches in a month and people still keep funds on these frontends. ENS plus IPFS hosting has been around for years and nobody uses it
yeah, attack really changed my perspective
ZachXBT tracing the funds to a MEXC deposit address is typical. These attackers always use a mid tier exchange for cash out. Question is whether MEXC freezes it.
Pei Lin MEXC freezing anything would be a first. that exchange is basically a getaway car for every hack since 2021
bridging 15.4 ETH for 2730 AVAX to move funds around. classic laundering path through multiple chains before hitting an exchange
funds bridged to AVAX then deposited to MEXC. classic multi-hop through altcoin chain to avoid BTC tracing. wonder if MEXC actually froze anything
two breaches in one month and only 238k stolen. the second attack could have been way worse if the attacker was less sloppy
DNS hijacking is such an old attack vector. Decentralized protocols relying on centralized DNS records for their front end is a fundamental design flaw.
DNS hijack into malicious frontend into wallet drain. the chain is decentralized but the DNS layer is a single point of failure nobody wants to fix
based. also worth noting attack
bitcoin is the thing nobody talks about enough