Key Highlights:
- Balancer hacker bypassed token freeze using permit() function.
- 19.5 million stS tokens moved from Sonic-frozen wallet to a new address.
- Tokens have been quickly swapped into WBTC and ETH.
According to GoPlus Security’s recent post on X (formerly known as Twitter), a wallet associated with the Balancer exploit used permit() authorization function to move 19.5 million stS token (worth ~$3 million) from a frozen wallet address. These tokens originally belonged to a frozen address which was being managed by security firm Sonic but they were illicitly moved using a little-known feature called permit() authorization.
How the Balancer Hacker Bypassed Asset Freezing via Permit Authorization
This morning, the @Balancer attacker transferred 19.5M $stS (~$3M) from the @soniclabs frozen address (0xf19f…fae2) to a new address using permit() authorization, then swapped it for WBTC/ETH. pic.twitter.com/RUO7OJQkA5
— GoPlus Security 🚦 (@GoPlusSecurity) November 11, 2025
How the Hacker Bypassed the Freeze?
Sonic had frozen the address 0xf19f…..fae2 at the chain level to prevent any transactions involving the native S token. With this freeze, the movement of the tokens was blocked from this wallet. Somehow, the attacker exploited the permit() function implemented by the stS token contract.
This permit() function allows the token holders to approve transfers using off-chain signatures. This process does not require gas fees from the token owner’s frozen address. In this way, the hacker used the permit() function to authorize token transfers without needing active approval from the frozen wallet itself.
This off-chain approval mechanism allowed the attacker to move the frozen stS tokens to a new address and immediately swap them for wrapped Bitcoin (WBTC) and Ethereum (ETH), which liquidated the stolen assets.
Why the Freeze Failed
The freeze could only affect the native S token on the blockchain, not the stS tokens, which are separate ERC20 tokens. So to be specific, the freeze only blocks on-chain transfers, but it does not stop permit-based approvals that happen off-chain. Because stS token support permit(), the hacker could still approve and move the token even though the address was frozen.
This is a stark reminder of the weakness in freeze systems that rely only on on-chain controls and do not consider off-chain approval features like permit() in some ERC-20 tokens.
Security Recommendations and Industry Implications
The GoPlus Security with the recent post is also urging DeFi platforms and security firms to use better pre-transaction security checks. They suggest systems that can detect permit()-style off- chain signature attacks before a transaction is signed and sent, and warn users in real-time.
They also asked the system to look into systems that can block both on-chain and off-chain approvals, so attackers cannot bypass freezes by using tokens that support permit().
Background of the Balancer Hack
On November 3, 2025, Balancer was hacked because of a small calculation error inside its smart contracts. The bug affected how the Balancer’s pool handled numbers, specifically, how token balances were scaled and rounded. The attacker kept taking advantage of this rounding mistake through repeated swaps and slowly draining money from various liquidity pools.
Balancer uses a main contract (called the Vault) to manage many pools across different blockchains. Because of that design, the same bug affected pools on multiple networks. The exploit affected pools on multiple networks, which includes Ethereum, Polygon, Arbitrum, Base and even Berachain.
Berachain was hit hard and it had to temporarily halt its network and performed an emergency hard fork to recover funds, and ultimately restored $12.8 million linked to the exploit. As Balancer’s design routes many pools through a single Vault contract, once the attacker leveraged the rounding error vulnerability, they could drain liquidity across all chains where the affected pools existed.
Also Read: Balancer Exploited; $117M Drained Across Multiple Chains
