Balancer hacker loses $20m after StakeWise uses loophole to take back funds

Balancer hacker loses $20m after StakeWise uses loophole to take back funds
DeFi
The recovered assets include about $19 million in osETH tokens and $1.7 million in osGNO. Illustration: Gwen P; Source: Shutterstock
By
Tim Craig
4 November 2025 at 20:22
  • StakeWise takes back $20 million from Balancer hacker.
  • The protocol used a loophole in the ownership structure of its smart contracts to do so.

When a hacker stole $128 million from decentralised finance protocol Balancer yesterday, depositors were left reeling.

Now, there’s a glimmer of hope: liquid staking platform StakeWise, issuer of some of the stolen assets, says it has recovered $20 million from the attacker.

“The recovered funds will be returned to the users affected in the Balancer V2 exploit, distributed pro-rata according to their pre-exploit balances,” StakeWise said in a Monday X post.

In a post-mortem, StakeWise said it was able to intervene only because of a loophole in the ownership structure of its smart contracts.

The recovered assets include about $19 million in osETH tokens and $1.7 million in osGNO.

Those tokens, along with around $100 million more, were drained from Balancer in a sophisticated exploit that targeted a bug in the liquidity protocol’s code.

That’s despite the protocol receiving multiple audits from some of the industry’s most prominent security firms.

The losses add to a record-breaking year for crypto hacks, which has so far seen over $2.2 billion stolen, according to a July report from Chainalysis, a crypto security firm.

How it worked

A wallet controlled by StakeWise’s DAO — a collective of token holders who govern the protocol — played a decisive role in the recovery.

Here’s how it happened.

The smart contracts behind the stolen tokens were tied to so-called controllers, accounts with the authority to create or destroy the assets in users’ wallets. The osETH token contract itself is owned by the StakeWise DAO, which lets holders of its SWISE governance token approve upgrades through onchain votes.

Late on Monday night, the seven members managing the DAO’s multi-signature wallet sprang into action. They carried out a series of transactions giving the DAO wallet temporary control as a token controller for osETH and osGNO.

With that power, the DAO burned the tokens sitting in the hacker’s wallet and minted an identical amount in its own wallets on Ethereum and Gnosis Chain. A final transaction then revoked the controller privileges and restored the setup to how it was before the exploit.

Closing the loophole

While victims welcomed the recovery, it also exposed just how centralised StakeWise really is.

The existence of the loophole is at odds with the ethos of many in the DeFi industry, who advocate for protocols to minimise the need for users to trust the people building them.

Because of this, StakeWise has created a proposal to remove the functionality for its DAO to vote on.

“Monday November 3 was the first time that the powers of the emergency multisig were invoked,” StakeWise said.

“We believe it would be right to also make it the last such time.”

Tim Craig is DL News’ Edinburgh-based DeFi correspondent. Reach out to him with tips at tim@dlnews.com.

Related Topics
STAKEWISEHACKS AND EXPLOITS