A company owned by two Argentines recovered a million dollars from one of the crypto thefts of the year

Balancer It works as a kind of automatic market without intermediaries: it allows users to deposit cryptocurrencies in liquidity pools and others to exchange them, all governed by computer programs known as smart contracts. The central promise of the system is that, once the rules are written in code, no one can modify them, like all blockchain. However, when that code has flaws, the consequences can be million-dollar losses.

In this case, the hack targeted a specific version of Balancer (the so-called V2 Compostable Stable Pools, a specific type of liquidity) and exploited a very subtle error in the protocol’s internal calculations. According to various technical analyses, a rounding flaw in trading allowed an attacker to gain a minimal advantage on each trade. This operation, repeated thousands of times and in an automated manner, that difference ended up becoming an enormous amount.

While the Balancer team tried to contain the impact and warned users about possible scams and false messages, Bitfinding, a company founded by Argentinians Felipe Manzano, from Rosario and with a degree in Computer Science from the National University of Rosario (UNR) and Sebastián Fernández, a specialist in systems exploitation who worked in companies such as Microsoft, detected the problem in real time.

In a matter of seconds, the system managed to anticipate part of the maneuver and move vulnerable funds to a safe direction, before they were captured by the attackers. The result was the recovery of approximately one million dollars in cryptocurrencies, which were then returned to the Balancer protocol itself.

How it was possible to intervene in the middle of an ongoing hack, what technology allowed it and why this type of theft continues to occur even in blockchain-based systems, in this interview with Manzano and Fernández about the power (and limitations) from the crypto world.

─In a Trail Of Bits technical report they explain that “the root cause of the hack was a rounding problem that had been present for years. What would this be like?”

─Imagine something everyday: you have $20,000 in the bank and you go to the ATM to withdraw $19,999. But to avoid small bills he gives you a $20,000 bill. This is similar to a rounding error and $1 is recorded in your account. If you repeated that operation many times, those small differences would accumulate until they add up to enormous figures. Something equivalent happened in Balancer. A rounding error in the calculations meant that, operation after operation, the attacker obtained a minimal accumulated advantage, until extracting millions. It would be impossible for a person to repeat it manually; for a program it is instantaneous.

─And this had not been detected?

─No, this error managed to evade multiple audits and hide among millions of dollars for several years, in part because its effect was almost imperceptible. It was a tiny rounding that only became relevant when it was repeated thousands of times and under certain conditions. In other words, a sleeping bug among millions of dollars, that only a very patient and technical attacker could wake up. Before the attack, Balancer was managing hundreds of millions of dollars in liquidity and the attacker managed to extract approximately 120–130 million dollars.

─How did they recover the money? How much did they recover?

─We recovered approximately one million dollars. On Monday, November 3, 2025, our monitoring system detected an attack in progress against Balancer, one of the main projects in the blockchain environment. In a matter of seconds we managed to understand the attacker’s maneuver, anticipate it and move part of the vulnerable funds to a safe address before they were stolen.

─How long did the process take to occur?

─Everything happened in less than 12 secondsand each delay could mean millions in losses. Although the attack was much larger, we managed to rescue close to a million dollars, which we then returned to a governance address of the Balancer protocol itself, after informing the team and the security community.

─Were there other cases of asset recovery?

─Yes, this case with Balancer was not the first. We had already intervened in other incidents, helping different protocols and users to recover assets. In those cases, perhaps less visible, the dynamics were the same: detect the attack in timeanticipate and move the funds to a safe place before they are lost. Each situation has its history, with different vulnerabilities and unique contexts, but the objective is always the same: prevent people from losing their money. It gives us a lot of confidence to see that the system responds well and that we can make a real difference.

─How do you know who the money belongs to and how to return it?

─In blockchain everything is public: every movement of money leaves a clear trail. Thanks to this traceability we can know exactly which contract or address the funds come from and which protocol they belong to. After intercepting the hack and securing them, we follow a careful process to return them. We first notify security groups and the affected protocol team. Before transferring money, we verify your identity by asking you to complete an action on the blockchain that only they can execute. Once its legitimacy is confirmed, we return the entirety to an address controlled by the protocol itself. It is a half-technical, half-artisanal process, but with a clear objective: that the money returns to those who really belong to it.

─In crypto there is great confidence in the security of the blockchain. However, we read about crypto thefts weekly. What generally happens in these cases?

─Blockchain is a technology that allows you to trust your money to computer programs instead of institutions or banks. This is key because once you agreed to the rules in those programs or smart contracts, no one can change them. Not a country, not a bank. That is, if you deposited cryptocurrencies, you will receive cryptocurrencies. That is the heart of the magic of blockchain.

─Then why are there robberies?

─Well, the robberies that appear in the news basically come in three “flavors.” The user authorizes the theft without realizing it: deception of the user is the most frequent. They make the person believe they are performing a harmless action, such as accepting a prize, but in reality they are tricking them into signing a transaction that gives their funds to the attacker. In blockchain there is no “undo” button: what’s done is done. These types of scams move, by far, more money than any complex hack. The biggest theft in history (not only crypto but in every sense) was crypto and falls into this category (1.5 billion dollars were stolen in one operation).

─Another common problem is errors in contracts.

─Of course, the second flavor is that there are subtle errors in the contracts code. Sadly, smart contracts are difficult to write and often have bugs. The platforms where people trade (like Balancer) are susceptible to errors. These vulnerabilities can be exploited by attackers to steal the money deposited on these platforms unless someone detects or stops them first. And the third flavor is the theft of access codes. This is like the theft of a home banking password. If an attacker, through a virus or hoax, manages to steal a person’s ‘private key’, they gain full control of their funds and can move them.

─What is Bitfinding and what crypto problems do they seek to solve?

─Bitfinding was born two years ago with a clear idea: to make the blockchain more secure at its most vulnerable points. We developed a system that monitor multiple blockchains in real time and is capable of intercepting complex attacks in milliseconds, even getting ahead of the hacker to save part of the funds, as happened in the case of Balancer. It is a job that we do autonomously and as a public good, because we believe that protecting the ecosystem is also a responsibility.

─Where are your efforts currently concentrated?

─Today we are focused on scaling and strengthening this protection infrastructure, to be able to cover more networks and more scenarios. The work involves improving the speed, autonomy and decision-making capacity of our systems, so that they can operate reliably even in complex and high-pressure contexts. In practice, this means collaborating with large protocols in the ecosystem, integrating an active defense layer that reduces the economic impact of errors, operational failures or attacks before they become irreversible losses. It’s about building active security infrastructure for Web3so that episodes like Balancer become increasingly difficult to repeat.