Here is what we know so far about the @balancer exploit: 1. The vulnerability has likely existed for nearly 5 years since the protocol's launch, evading detection despite audits 2. The root cause seems to stem from from improper authorization and callback handling during pool initialization This enabled attackers to deploy malicious contracts that manipulate vault calls and perform unauthorized swaps or balance drains across interconnected pools 3. There are speculations that the attackers are the same group behind the KyberSwap hack this is based on similarities in transaction log styles 4. Most stolen assets are derivative tokens (e.g., LSTs like osETH, wstETH + sts) giving some protocol teams to intervene by blacklisting addresses, pausing redemptions, or taking emergency actions before the hacker converts them to ETH (or the native asset) The hacker did seem to manage to convert STS to S across various wallets (not just the one wallet circulated around) 5. @berachain validator intentionally halted the network and executed a successful emergency hard fork to recover ~$12M in user funds from their BEX decentralization ❌ user protection ✅ im sure no one was complaining there 6. the ramifications of this incident are deep it's a "trust collapse" in DeFi. even a battle-tested protocol from 2020 can suffer near-total TVL loss, potentially deterring serious capital and setting back adoption 7. let's not forget that CertiK had given Balancer a security score of 86 prior to the hack This raises questions about the effectiveness of audits 8. The wallets were funded by tornado cash