Balancer hack: Update

Following the Balancer exploit, roughly $128M in assets were drained across multiple chains, including about $9.4M on Gnosis Chain. The specifics are still under investigation but it was unequivocally a malicious exploit.

We immediately took what action was possible, coordinating with affected issuers and infrastructure operators to minimize impact. Monerium froze the compromised EURe balances, and a similar measure was explored with Stakewise for osGNO, together protecting over €3M in value. The remaining assets were still held as Balancer V2 account balances and bridge governors temporarily halted bridge activity to provide time for further analysis and coordination.

The robust decentralization of our network means that unilateral action is impossible. However, our network of ~340,000 validators, including the large number of smaller independent validators who form the backbone of Gnosis Chain, do have limited options. These include doing nothing, or executing a hard or soft fork.

Our goal remains to get to a point where censorship - even at the validator level - is impossible. But, since validators do still have an ability to act, the question is how we use it. To stand aside because power can be abused or to act responsibly while we can?

A hard fork would require all ~340,000 validators to upgrade almost immediately, disrupting consensus and burdening operators. Anyone who failed to upgrade in time, typically smaller independent validators who are not online 24/7, would be penalized for remaining on the “wrong” fork. While they could be compensated after the fact, this would be sub-optimal.

By contrast, a soft fork allows validators to voluntarily adopt a client that simply refuses to attest to blocks moving the hacker’s balances. This avoids network disruption, respects validator autonomy, and provides time to coordinate a broader response.

In our view, a hack of this magnitude warrants community coordination and a validator vote. The process had to be handled with utmost discretion to avoid alerting the attacker but, with over 50% of validators in favor of a soft fork, this has now been implemented. While the stolen funds are now frozen and cannot be accessed by the hacker, redistributing them to their rightful owners will require a hard fork in the future. This can be included in a regular scheduled network update and will be communicated publicly ahead of time.

It is our opinion that exercising this collective power transparently, to protect users, is part of our responsibility, even as we work toward a future where no one has that power at all.

Now that the threat has been neutralized, bridges will reopen.

12 Likes

It’s really quite strange…
When it’s your own money that’s lost, you act much more quickly than when it’s the money of dozens of individuals.
I’m not criticizing your intervention. I know, you know, everyone knows that you have total control of the multisig holding the assets as well as most of the validators. What I’m criticizing is the double standard.

The European regulator must be rubbing their hands together right now; you’ve surely already condemned yourselves to being reclassified as a centralized provider.

Your talk about your so-called virtues, about wanting to create a fairer, more equitable world, is in complete contradiction with your recent acts…

Selon que vous serez puissant ou misérable Les jugements de cour vous rendront blanc ou noir.

3 Likes

When it’s your own money that’s lost, you act much more quickly than when it’s the money of dozens of individuals.

The whole topic is complicated and deserves a longer answer. I know all the arguments to not do those kind of forks - but I can already say that it is exactly “money of dozens of individuals” that I care about the most here. I personally did not had any funds in the effected balancer pools - sure indirectly I am effected by GnosisDAO loosing funds but the funds the DAO had effected where less than 2% of its holdings.

What triggered me to try to get the soft-fork done (and it still remains to be seen if it succeeds) was indeed protecting user. What described as " Low-risk defi" is what Gnosis has focused on in the last couple of years. And I can not:

  1. promote users / “normal people” our products
  2. if something happens not do anything I can to try to fix it
5 Likes

Hello, thank you for the update.

This is a topic that raises many questions from various perspectives, with both pros and cons.

Personally, I have mixed feelings about the approach to choose. Fundamentally, I’m in favor of decentralization and accountability, but from a more rational point of view and with a future in mind, it’s conceivable that the hard fork proposal could be justified.

The problem here, and what should determine whether or not a hard fork is necessary, is having a clear framework for the conditions for such a hard fork, and a clear process, enshrined in smart contracts that are difficult to modify, so that the actors who choose the Gnosis chain are aware of the rules.

In my rational thinking, which conflicts with my personal convictions, I understand that for growth and the future, this kind of action will be necessary for mass adoption, because institutions, and most people, will want a guarantee that they can attempt to recover the funds; they simply won’t accept the fact that what happened and that nothing can be done.

Another problem I see is the potential collateral effect of a hack that could be recovered. During the period of disruption, other protocols are potentially impacted. A hack can cause malfunctions and temporary imbalances, which can lead to liquidations and various losses that wouldn’t occur under normal circumstances. For example, I’ve noticed that DEX aggregators aren’t functioning correctly, thus preventing asset swaps. We can therefore imagine people who had positions on AAVE being liquidated because they couldn’t swap or repatriate funds due to the disruptions. This highlights an injustice between those directly and indirectly impacted.

Another point raised by this post is that we’re talking about Balancer, with fewer than 10 million assets. This would also apply to any protocol in the Gnosis Chain, whether well-known or lesser-known. What are the limits for justifying a soft/hard fork, a bridge freeze, and other actions? What about hacks of 9 million, 1 million, 10k, or 1k assets? And what about hacks of personal wallets?

This is a complex issue that isn’t limited to the millions involved in this hack. It sets a precedent for many cases, raising questions about justifying future applications of the same process or refusing to implement it. In my opinion, we need to be able to debate and decide on all these aspects before even proposing a hard fork.

For the sake of transparency, neither I nor RealT, for whom I work, are directly or indirectly impacted by this hack from a financial standpoint. Therefore, this reflection can be considered free from any irrational emotional bias related to this hack.

8 Likes

Why didn’t you speak up when I fought for months to shut down this very same pool that was hacked today?

Why weren’t you there to support me when I was trying to recover the 700k lost by your teams?

3 Likes

I understand your problem; that’s exactly what I was talking about in my previous message. The actions taken here for the Balance hack, and future actions, will have a significant impact on the philosophy behind the blockchain.

Regardless of the direction taken, things must be clear and governed without individual interpretation by one or more influential people.

As mentioned, personally, I would be in favor of doing nothing; that’s how Bitcoin was created. However, from a rational point of view, having a clear, strict policy, ideally enshrined in a Standard Core, seems essential to me for taking the path of a fork that repairs a hack. But first and foremost, we must define the limits of activating this measure, which, in my opinion, is essential to attract more participants less sensitive to immutability, or even participants for whom immutability is a key consideration.

It’s also necessary to ensure that an external entity cannot activate or force the activation of the process, such as a malicious state, or even respond to legal requests (a matter open to debate).

Just like the auditors’ responsibility, I also find it unacceptable to have contracts audited and yet bear no financial responsibility for a hack, but that’s another topic that doesn’t belong here.

Therefore, I believe your request should be addressed directly to your problem, but also that this should serve as an example of the problem of granting a fork in one case but not in another. This highlights the difficulty in setting a limit to say, “Yes, we will do it,” and “No, we will not.”

4 Likes

Where can one find instructions to become part of that softfork or not?

1 Like

Me, as a smaller Independent validators, wouldn’t mind to be penalized if I missed the discussion about doing a fork or not., as long as I know in advance where to have a look to see whats going on.
As long as you have controll of enough validators to decide about this internally it’s fine and you should proceed as you did, but gnosischain is decentralized shouldn’t
be said anymore till this changes.

While I appreciate the urgency and coordination shown, I believe forking should remain a last resort. It introduces significant risks to consensus, validator fairness, and long-term network credibility.

There may be alternative paths to making affected users whole that preserve protocol neutrality and avoid setting precedents around validator-level censorship.

I support continued dialogue and transparency, but I’d urge the community to explore all non-forking options before escalating further.

3 Likes

Yes, I really hope there will be a constructive debate here, because it’s an important point that can change many parameters for all types of participants (project creator, user, validator, etc.).

4 Likes