J Builds

Not sure why many point to https://t.co/ll38tOEBZc and call it an access-control bug. However, that TX looks like a legitimate withdrawal where the attacker simply pulled profits. The actual exploit appears to be https://t.co/99V1njuqMQ. The root cause is convoluted, but at a high level, the attacker performed a large number of swaps in three stages. Take the pool 0xdacf5fa19b1f720111609043ac67a9818262850c000000000000000000000635 as an example, which involves three tokens: WETH (index 0), Balancer osETH/wETH StablePool BPT (index 1), and osETH (index 2). One important thing to note is that Balancer does internal balance updates for these swaps without requiring the attacker to actually transfer real tokens into the contract. As a result, the final assetDeltas are: [ -4,623,601,508,853,283,067,843, -44,154,666,355,785,411,629, -6,851,122,954,235,076,557,965 ] meaning the Balancer pool lost across all three tokens. To understand the attack, it helps to look at how the pool balances changed over time. Initial balances [ 4,922,356,564,867,078,856,521, 2,596,148,429,267,421,974,637,745,197,985,291, 6,851,581,236,039,298,760,900 ] Stage 1: The attacker swapped BPT → WETH and osETH. These swaps increased BPT balance while reducing WETH and osETH to very small numbers: [ 67,000, 2,596,148,429,279,270,468,626,385,806,469,170, 67,000 ] Stage 2: The attacker repeatedly swapped WETH ↔ osETH, introducing rounding errors that made both balances even smaller: [ 889, 2,596,148,429,279,270,468,626,385,806,469,170, 1,472 ] Stage 3: The attacker swapped WETH and osETH back → BPT. Due to the rounding errors in Stage 2, the effective price of BPT against WETH and osETH was manipulated downward. Hence, the attacker could now acquire more BPT using less WETH and osETH than in Stage 1. This explains why the attacker’s contract ended up with increased balances of all three tokens, while the Balancer pool lost in all of them. The same strategy was repeated on other pools in the same transaction, and similarly on Balancer and its forks across other chains.

ethereum is for privacy, here are just 11 things you may not know exist today 1) confidential tokens (ERC-7984) there’s a proposed wip token standard that hides balances and transfer amounts. same ERC-20 interface, but encrypted data instead of plain numbers. AKA: you can send someone money without the whole internet knowing how much. 2) encrypted data standard (ERC-7995) lets smart contracts process encrypted inputs (things like bids, votes, or secret values) and still verify them correctly. AKA: imagine a calculator that can add two numbers without ever seeing them. it just knows the math checks out. 3) fheERC-20 + fhEVM (Fully Homomorphic Encryption) running contracts that compute entirely over ciphertext. even the contract itself never sees your data. AKA: your data stays locked in a box, and the blockchain still does math on it. 4) stealth addresses (EIP-5564) lets you receive funds privately through a one-time address that only you can link to your main wallet. AKA: it’s like having a burner mailbox that automatically forwards to your real one, but no one can trace it. 5) private governance (MACI) used in DAO and grant voting. you can vote anonymously, but everyone can still verify the count is fair. AKA: like secret ballots but onchain and provably correct. 6) anonymous actions (Semaphore) enables you to prove you’re part of a group and signal or vote without revealing who you are. AKA: you raise your hand in a crowd and everyone sees a hand, nobody knows it was yours. 7) selective disclosure (zk) zk-badges let you prove something about yourself (like “I donated to X” or “I’m over 18”) without revealing your wallet or identity. AKA: show the bouncer you’re old enough without showing your whole ID. 8) private layer-2s Many of the best researchers in crypto are building full rollups where smart contracts run on encrypted state. you can do DeFi privately and share viewing keys if needed. AKA: scalable versions of a scaled ethereum where only you (or people you choose) can see what you’re doing. 9) private orderflow routes your swaps privately so bots can’t sandwich you. your transaction is encrypted until it’s safely in the block. AKA: like whispering your trade to the cashier instead of shouting it in a busy market. 10) compliant privacy (eg privacy pools) lets users prove their funds didn’t come from bad actors without revealing who they are. AKA: you show that your money is clean without showing where it came from. 11) web2 proof bridges (zkTLS + TLSNotary) you can now prove something from a website (like income or identity) directly to a smart contract, without exposing your personal data. AKA: prove “I am not a twitter user with 500 followers” without showing your account.